Safeguard
Tag

flask

Safeguard articles tagged "flask" — guides, analysis, and best practices for software supply chain and application security.

9 articles

Application Security

Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation

One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.

Jul 14, 20266 min read
Application Security

Finding and fixing IDOR vulnerabilities in Python

Broken Object Level Authorization has held the #1 spot on the OWASP API Security Top 10 since 2019 — and Django's get_object_or_404() does nothing to stop it.

Jul 8, 20266 min read
Application Security

A hardening guide to securing Flask applications

Flask ships session cookies with HttpOnly on by default — but Secure, SameSite, CSRF tokens, and every security header are left entirely to you.

Jul 8, 20266 min read
Security Guides

Flask Security Best Practices for 2026

Flask is minimal by design, which means the security decisions Django makes for you are decisions you own. Here is how to make them correctly.

Jul 1, 20265 min read
Vulnerability Analysis

Werkzeug multipart form-data denial of service (CVE-2019-1010083)

CVE-2019-1010083 lets attackers crash Flask apps via crafted multipart form-data. Here's the CVSS score, timeline, and how to fix the Werkzeug DoS flaw.

Dec 27, 20258 min read
Vulnerability Analysis

Werkzeug multipart parser DoS (CVE-2023-46136)

A crafted multipart upload could pin Werkzeug workers at 100% CPU with no auth required. Here's what CVE-2023-46136 affects and how to fix it.

Dec 26, 20257 min read
Vulnerability Analysis

CVE-2023-30861: Flask session cookie disclosure to templates

CVE-2023-30861 lets caching proxies leak Flask session cookies between users when responses aren't marked Vary: Cookie. Here's who's affected and how to fix it.

Oct 4, 20258 min read
Vulnerability Analysis

CVE-2019-1010083: Denial of service in Flask via large mu...

CVE-2019-1010083 let attackers crash Flask apps with crafted multipart requests. Here's the impact, affected versions, and how to remediate the DoS flaw.

Oct 3, 20257 min read
Best Practices

Flask Application Security: A Deep Dive

Flask gives you room to make mistakes. This is a long look at the patterns that keep Flask apps safe in 2023, covering sessions, extensions, Werkzeug, and Jinja.

Jun 18, 20237 min read
flask — Safeguard Blog