Flask 3.0.3 — current safe version

Flask 3.0.3 requires Werkzeug 3.0.3+. Always update both together — pip install flask --upgrade werkzeug --upgrade. Flask 3.0.3 patches CVE-2023-30861 (session cookie leakage).

All Flask CVEs — Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

Flask is Python's most popular microframework. CVEs in Flask itself are rare — most Flask-related vulnerabilities come through Werkzeug or Jinja2. The main direct CVE is a cookie bypass.

PyPI 100M+ weekly downloads 2 CVEs total

Full CVE history

CVE	Year	Severity	Description	Fix
CVE-2018-1000656	2018	HIGH	DoS via large cookie value	Fixed 0.12.3
CVE-2023-30861	2023	HIGH	Secure cookie bypass via response manipulation	Fixed 2.3.2

Current safe version: 3.0.3

# Before

"Flask==2.0.0"

# After

"Flask==3.0.3"

Then run: pip install -r requirements.txt

Flask CVEs — complete history

Flask has a small but important CVE history. Most vulnerabilities are in Werkzeug (Flask's WSGI toolkit) rather than Flask itself. Always update both together.

Known Flask and Werkzeug CVEs

Package	CVE	Severity	Description	Safe
Werkzeug	CVE-2024-49767	HIGH	DoS via multipart parsing	3.0.6+
Werkzeug	CVE-2024-34069	HIGH	Debugger PIN bypass RCE	3.0.3+
Flask	CVE-2023-30861	HIGH	Session cookie leakage	2.3.2+
Werkzeug	CVE-2023-46136	HIGH	DoS via multipart boundary	3.0.1+

Fix Flask and Werkzeug

# Always update Flask and Werkzeug together
pip install flask --upgrade werkzeug --upgrade

# Pin in requirements.txt
flask>=3.0.3
werkzeug>=3.0.6

pip install -r requirements.txt

# Verify
pip show flask werkzeug | grep -E "Name:|Version:"

Critical: disable the debugger in production

CVE-2024-34069 is a Werkzeug debugger PIN bypass that allows remote code execution. It only affects apps running with debug=True. Never run Flask with debug mode enabled in production.

# Never in production
app.run(debug=True)

# Always in production
app.run(debug=False)
# Or use environment variable
FLASK_DEBUG=0 flask run

Flask version history — safe versions

Version	Status	Notes
3.0.3+	SAFE	Requires Werkzeug 3.0.3+
3.0.2	OUTDATED	Missing Werkzeug DoS fixes
2.3.2	SAFE	Patches CVE-2023-30861 — last safe 2.x release
2.3.1 and below	VULNERABLE	CVE-2023-30861 session leakage
Below 2.x	EOL	End of life — multiple CVEs

Paste your manifest — see your exact versions against the full CVE history.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Does Flask have many CVEs?

Flask itself has very few direct CVEs — most Flask security issues come through its dependencies Werkzeug (routing, request handling) and Jinja2 (templates). Keep the entire Flask stack updated together.

What changed in CVE-2023-30861?

A response could be crafted to cause Flask to set cookies without the Secure flag even when configured to require it. Update to 2.3.2 or later.