CVE-2025-47278: 
Flask vulnerability analysis and mitigation

Flask, a web server gateway interface (WSGI) web application framework, was found to have a vulnerability in version 3.1.0 (CVE-2025-47278) related to key configuration handling. The issue was discovered and disclosed on May 13, 2025, affecting the way fallback key configuration was managed in the framework (GitHub Advisory).

The vulnerability stems from incorrect handling of signing key order in Flask 3.1.0. The framework uses the itsdangerous library for signing, which expects the most recent key to be the last (top) key in the list for signing purposes. However, Flask was constructing this list in reverse order, placing the signing key first instead of last. This implementation error affects sites that have opted to use key rotation by setting SECRETKEYFALLBACKS (GitHub Advisory). The vulnerability has been assigned a CVSS v4.0 base score of 1.8 (Low) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (NVD).

The primary impact of this vulnerability is that affected sites are likely to unexpectedly sign their sessions with stale keys, impeding their transition to fresher keys. However, it's important to note that sessions remain signed, preventing any data integrity loss (GitHub Advisory).

The vulnerability has been patched in Flask version 3.1.1. Users are advised to upgrade to this version to resolve the issue (Flask Release).