CVE-2025-47278 is a vulnerability identified in Flask version 3.1.0, a popular Python web framework that implements the Web Server Gateway Interface (WSGI). The issue arises from incorrect handling of fallback key configuration used for signing session data. Flask relies on the 'itsdangerous' library to cryptographically sign session cookies, ensuring their integrity and authenticity. The library supports key rotation by accepting a list of secret keys, where the last key in the list is considered the current signing key, and the preceding keys are fallback keys used to verify older signatures. However, in Flask 3.1.0, the construction of this key list was reversed, causing the signing operation to use the last fallback key instead of the current signing key. This means that sessions were signed with stale keys rather than the intended fresh key. While this does not lead to direct data integrity loss or session tampering, it impedes the proper transition to newer keys during key rotation, potentially prolonging the use of weaker or compromised keys. The vulnerability is classified under CWE-683 (Function Call With Incorrect Order of Arguments), reflecting the incorrect ordering of keys passed to the signing function. The flaw requires high privileges to exploit (PR:H), no user interaction, and local access (AV:L), resulting in a low CVSS 4.0 score of 1.8. The issue was patched in Flask version 3.1.1. There are no known exploits in the wild, and the impact is limited to key rotation mechanisms in applications that have explicitly enabled SECRET_KEY_FALLBACKS. Overall, this vulnerability represents a subtle cryptographic misconfiguration rather than a direct security breach.

For European organizations using Flask 3.1.0 with key rotation enabled via SECRET_KEY_FALLBACKS, this vulnerability could delay or complicate the transition to new signing keys. This may increase the window during which older keys remain in use, potentially exposing session data to risks if those keys are compromised. Although the vulnerability does not allow session tampering or data integrity violations directly, it weakens the cryptographic hygiene of session management. Organizations with strict compliance requirements around cryptographic key management or those subject to regulations like GDPR may face increased risk if key rotation is not properly enforced. The impact is more pronounced in environments with long-lived sessions or where key compromise is a realistic threat. However, since exploitation requires local access and high privileges, the risk of remote exploitation is minimal. The vulnerability does not affect availability or confidentiality directly but may indirectly affect trust in session security. European entities operating critical web applications or services that rely on Flask for session management should prioritize upgrading to Flask 3.1.1 to ensure proper key rotation and maintain cryptographic best practices.

The primary mitigation is to upgrade Flask to version 3.1.1 or later, where the key ordering issue has been corrected. Organizations should audit their Flask deployments to identify any instances running version 3.1.0 with SECRET_KEY_FALLBACKS enabled. If immediate upgrading is not feasible, temporarily disabling key rotation or SECRET_KEY_FALLBACKS can prevent signing with stale keys, though this reduces key rotation benefits. Additionally, organizations should review their key management policies to ensure that secret keys are rotated regularly and securely stored. Implement monitoring to detect unusual session behaviors or anomalies that might indicate misuse of older keys. Security teams should also verify that their deployment pipelines and dependency management tools are configured to promptly apply security patches. Finally, educating developers about the importance of correct key ordering and cryptographic hygiene in session management can prevent similar issues in the future.