repos/epage
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Releases 18 Activity

build(security): update dependency flask to v3.1.3 [SECURITY] #201

Merged
renovate-bot merged 1 commits from renovate/pypi-flask-vulnerability into main 2026-02-23 07:16:26 +00:00
Conversation 1 Commits 1 Files Changed 1 +3 -3
renovate-bot commented 2026-02-23 06:01:31 +00:00
Member
Copy Link

This PR contains the following updates:

Package Change Age Confidence
flask (changelog) 3.1.23.1.3 age confidence

Flask session does not add Vary: Cookie header when accessed in some ways

CVE-2026-27205 / GHSA-68rp-wp8r-4726

More information

Details

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked.

The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.

  1. The application must be hosted behind a caching proxy that does not ignore responses with cookies.
  2. The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
  3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

pallets/flask (flask)

v3.1.3

Compare Source

Released 2026-02-18

  • The session is marked as accessed for operations that only access the keys
    but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [flask](https://github.com/pallets/flask) ([changelog](https://flask.palletsprojects.com/page/changes/)) | `3.1.2` → `3.1.3` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/flask/3.1.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/flask/3.1.2/3.1.3?slim=true) | --- ### Flask session does not add `Vary: Cookie` header when accessed in some ways [CVE-2026-27205](https://nvd.nist.gov/vuln/detail/CVE-2026-27205) / [GHSA-68rp-wp8r-4726](https://github.com/advisories/GHSA-68rp-wp8r-4726) <details> <summary>More information</summary> #### Details When the `session` object is accessed, Flask should set the `Vary: Cookie` header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python `in` operator were overlooked. The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not ignore responses with cookies. 2. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. 3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session. #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726](https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726) - [https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4](https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4) - [https://github.com/pallets/flask](https://github.com/pallets/flask) - [https://github.com/pallets/flask/releases/tag/3.1.3](https://github.com/pallets/flask/releases/tag/3.1.3) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-68rp-wp8r-4726) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>pallets/flask (flask)</summary> ### [`v3.1.3`](https://github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-313) [Compare Source](https://github.com/pallets/flask/compare/3.1.2...3.1.3) Released 2026-02-18 - The session is marked as accessed for operations that only access the keys but not the values, such as `in` and `len`. :ghsa:`68rp-wp8r-4726` </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMS4xIiwidXBkYXRlZEluVmVyIjoiNDMuMzEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsic2VjdXJpdHkiXX0=-->
renovate-bot added the security label 2026-02-23 06:01:31 +00:00
renovate-bot added 1 commit 2026-02-23 06:01:31 +00:00
[SECURITY] Update dependency flask to v3.1.3 [SECURITY]
All checks were successful
Validate PR Title / validate (pull_request) Successful in 2s
Details
CI / ci (pull_request) Successful in 23s
Details
6a552f42ea
renovate-bot requested review from luke 2026-02-23 06:01:31 +00:00
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-02-23 06:01:32 +00:00
luke changed title from [SECURITY] Update dependency flask to v3.1.3 [SECURITY] to build(security): update dependency flask to v3.1.3 [SECURITY] 2026-02-23 07:15:38 +00:00
luke approved these changes 2026-02-23 07:16:23 +00:00
renovate-bot merged commit 7cd8e5814c into main 2026-02-23 07:16:26 +00:00
renovate-bot deleted branch renovate/pypi-flask-vulnerability 2026-02-23 07:16:26 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
luke
Labels
Clear labels
bug
Something isn't working
 dependencies
documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 security
wontfix
This will not be worked on
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label security
Milestone
No items
No Milestone
Assignees
Clear assignees
ai-review-bot gitea-actions-bot luke renovate-bot
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: repos/epage#201
Delete Branch "renovate/pypi-flask-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?