Safety vulnerability ID: 40459
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Flask-caching is vulnerable to CVE-2021-33026: Flask-Caching extension for Flask relies on Pickle for deserialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code.
NOTE: Project maintainers indicate that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision.
https://github.com/pallets-eco/flask-caching/pull/209
Latest version: 2.3.0
Adds caching support to Flask applications.
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. See CVE-2021-33026.
MISC:https://github.com/sh4nks/flask-caching/pull/209: https://github.com/sh4nks/flask-caching/pull/209
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application