Flask is a widely used PyPI package. As of 2026-05-24, there are 8 known vulnerabilities in the OSV database. The latest stable version is 3.1.3. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (8)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2018-1000656 | HIGH | 7.5 | 0 to 0.12.3 | 0.12.3 | Flask is vulnerable to Denial of Service via incorrect encoding of JSON data |
| CVE-2019-1010083 | HIGH | 7.5 | 0 to 1.0 | 1.0 | Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory usage |
| CVE-2023-30861 | HIGH | 7.5 | 2.3.0 to 2.3.2; 0 to 2.2.5 | 2.3.2 | Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header |
| CVE-2025-47278 | LOW | 2.5 | 3.1.0 to 3.1.1 | 3.1.1 | Flask uses fallback key instead of current signing key |
| CVE-2026-27205 | LOW | 2.5 | 0 to 3.1.3 | 3.1.3 | Flask session does not add `Vary: Cookie` header when accessed in some ways |
| CVE-2018-1000656 | UNKNOWN | - | 0 to 0.12.3 | 0.12.3 | The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of servic |
| CVE-2019-1010083 | UNKNOWN | - | 0 to 1.0 | 1.0 | The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may |
| CVE-2023-30861 | UNKNOWN | - | 0 to afd63b16170b7c047f5758eb910c416511e9c965; 2.3.0 to 2.3.2 | 70f906c51ce49c485f1d355703e9cc3386b1cc2b | Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy |
Security Recommendations
- Pin Flask to the latest stable version (3.1.3) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
pip-audit - Review your lock file (requirements.txt) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is Flask safe to use?
Flask is actively maintained and widely used. As of 2026-05-24, there are 8 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Flask have?
The OSV database currently lists 8 vulnerabilities for Flask. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Flask to fix vulnerabilities?
Run pip install --upgrade flask to get the newest version. Use pip-audit or safety check to scan for known vulnerabilities. Pin your dependencies with a requirements file and review updates regularly.
Using AI-Generated Code with Flask?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Flask, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit