flask
Safeguard articles tagged "flask" — guides, analysis, and best practices for software supply chain and application security.
9 articles
Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation
One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.
Finding and fixing IDOR vulnerabilities in Python
Broken Object Level Authorization has held the #1 spot on the OWASP API Security Top 10 since 2019 — and Django's get_object_or_404() does nothing to stop it.
A hardening guide to securing Flask applications
Flask ships session cookies with HttpOnly on by default — but Secure, SameSite, CSRF tokens, and every security header are left entirely to you.
Flask Security Best Practices for 2026
Flask is minimal by design, which means the security decisions Django makes for you are decisions you own. Here is how to make them correctly.
Werkzeug multipart form-data denial of service (CVE-2019-1010083)
CVE-2019-1010083 lets attackers crash Flask apps via crafted multipart form-data. Here's the CVSS score, timeline, and how to fix the Werkzeug DoS flaw.
Werkzeug multipart parser DoS (CVE-2023-46136)
A crafted multipart upload could pin Werkzeug workers at 100% CPU with no auth required. Here's what CVE-2023-46136 affects and how to fix it.
CVE-2023-30861: Flask session cookie disclosure to templates
CVE-2023-30861 lets caching proxies leak Flask session cookies between users when responses aren't marked Vary: Cookie. Here's who's affected and how to fix it.
CVE-2019-1010083: Denial of service in Flask via large mu...
CVE-2019-1010083 let attackers crash Flask apps with crafted multipart requests. Here's the impact, affected versions, and how to remediate the DoS flaw.
Flask Application Security: A Deep Dive
Flask gives you room to make mistakes. This is a long look at the patterns that keep Flask apps safe in 2023, covering sessions, extensions, Werkzeug, and Jinja.