flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.

Flask 2.2.5 and 2.3.2 include a fix for CVE-2023-30861: When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches 'Set-Cookie' headers, it may send one client's 'session' cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met:
1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets 'session.permanent = True'
3. The application does not access or modify the session at any point during a request.
4. 'SESSION_REFRESH_EACH_REQUEST' enabled (the default).
5. The application does not set a 'Cache-Control' header to indicate that a page is private or should not be cached.
This happens because vulnerable versions of Flask only set the 'Vary: Cookie' header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.
https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq

Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. NOTE: this may overlap CVE-2018-1000656.
https://github.com/pallets/flask/pull/2695/commits/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929

Pyopenssl 17.5.0 includes a fix for CVE-2018-1000807: Use After Free vulnerability in X509 object handling that can possibly lead to denial of service or remote code execution. This attack appears to be exploitable via 'Depends' on the calling application and if it retains a reference to the memory.
#NOTE: The data we include in this advisory differs from the publicly available on nvd.nist.gov. 'cryptography' dependency was introduced in release 0.14a2.

Pyopenssl 17.5.0 includes a fix for CVE-2018-1000808: Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 store that can result in denial-of-service if memory runs low or is exhausted. This attack appears to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.
#NOTE: The data we include in this advisory differs from the publicly available on nvd.nist.gov. 'cryptography' dependency was introduced in release 0.14a2.