chore(deps): update dependency flask to v3 [security]#267
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
2 times, most recently
from
March 5, 2026 23:10
2e24e15 to
59062e8
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
2 times, most recently
from
March 13, 2026 22:02
3c2b2ff to
5d6fd5f
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
2 times, most recently
from
March 26, 2026 20:34
31d2185 to
d6af0cd
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
4 times, most recently
from
April 1, 2026 22:55
09d1930 to
167c660
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
3 times, most recently
from
April 15, 2026 11:57
ea3a7e3 to
fff1b7d
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
7 times, most recently
from
April 22, 2026 03:10
aa6e582 to
fd7e45f
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
2 times, most recently
from
April 23, 2026 20:52
0ecfdef to
d2bfa93
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
5 times, most recently
from
April 30, 2026 19:19
64d2b92 to
4810712
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
6 times, most recently
from
May 18, 2026 15:12
6c25620 to
a7de40c
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
4 times, most recently
from
May 28, 2026 21:35
666d9a5 to
cb668a4
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
2 times, most recently
from
June 2, 2026 03:14
c84b027 to
f69347e
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
4 times, most recently
from
June 19, 2026 01:46
ee914b3 to
752c883
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
3 times, most recently
from
July 16, 2026 16:54
1aff3b7 to
8b7f709
Compare
renovate
Bot
force-pushed
the
renovate/pypi-flask-vulnerability
branch
from
July 17, 2026 01:29
8b7f709 to
00b5879
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
>=2.3.3, <2.4.0→>=3.1.3, <3.1.4Flask session does not add
Vary: Cookieheader when accessed in some waysCVE-2026-27205 / GHSA-68rp-wp8r-4726
More information
Details
When the
sessionobject is accessed, Flask should set theVary: Cookieheader. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Pythoninoperator were overlooked.The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.
Cache-Controlheader to indicate that a page is private or should not be cached.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pallets/flask (Flask)
v3.1.3Compare Source
Released 2026-02-18
but not the values, such as
inandlen. :ghsa:68rp-wp8r-4726v3.1.2Compare Source
Released 2025-08-19
stream_with_contextdoes not fail inside async views. :issue:5774follow_redirectsin the test client, the final stateof
sessionis correct. :issue:5786send_file. :issue:5776v3.1.1Compare Source
Released 2025-05-13
SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28gcli_runner.invoke. :issue:5645flask --helploads the app and plugins first to make sure all commandsare shown. :issue:
5673AsyncIterable. This is not accurate for Flask, but makes typing easierfor Quart. :pr:
5659v3.1.0Compare Source
Released 2024-11-13
5623Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:
5624,5633responses. :pr:
5496Flask.open_resource/open_instance_resourceandBlueprint.open_resourcetake anencodingparameter to use whenopening in text mode. It defaults to
utf-8. :issue:5504Request.max_content_lengthcan be customized per-request instead of onlythrough the
MAX_CONTENT_LENGTHconfig. AddedMAX_FORM_MEMORY_SIZEandMAX_FORM_PARTSconfig. Added documentationabout resource limits to the security page. :issue:
5625Partitionedcookie attribute (CHIPS), with theSESSION_COOKIE_PARTITIONEDconfig. :issue:5472-e pathtakes precedence over default.envand.flaskenvfiles.load_dotenvloads default files in addition to a path unlessload_defaults=Falseis passed. :issue:5628SECRET_KEY_FALLBACKSconfig, a list of oldsecret keys that can still be used for unsigning. Extensions will need to
add support. :issue:
5621host_matching=Trueorsubdomain_matching=Falseinteracts with
SERVER_NAME. SettingSERVER_NAMEno longer restrictsrequests to only that domain. :issue:
5553Request.trusted_hostsis checked during routing, and can be set throughthe
TRUSTED_HOSTSconfig. :issue:5636v3.0.3Compare Source
Released 2024-04-07
hashlib.sha1may not be available in FIPS builds. Don'taccess it at import time so the developer has time to change the default.
:issue:
5448cliattribute in the sansio scaffold, but rather inthe
Flaskconcrete class. :pr:5270v3.0.2Compare Source
Released 2024-02-03
jinja_loaderproperty. :issue:5388--extra-filesand--exclude-patternsCLI options.:issue:
5391v3.0.1Compare Source
Released 2024-01-18
pathargument tosend_file. :issue:5336flask run --keyoption. :pr:5344json.loadsobject_hook. This allows other JSON providers that don't implement that.:issue:
53815383v3.0.0Compare Source
Released 2023-09-30
5223__version__attribute. Use feature detection, orimportlib.metadata.version("flask"), instead. :issue:5230classes have Sans-IO bases. :pr:
51275264Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.