CVE-2021-33026: Deserialization of Untrusted Data in Flask-Caching
4.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.95244%
CWE
Published
6/18/2021
Updated
8/16/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Flask-Caching | pip | <= 1.10.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Flask-Caching's reliance on pickle
for serialization. The serializer's loads()
method directly uses pickle.loads()
, which is inherently unsafe for untrusted data. The BaseCache
class's _loads
method propagates this vulnerability by using the default pickle
-based serializer. These functions create an RCE vector when combined with cache poisoning. The assessment is supported by the CVE description, GitHub advisory discussion about pickle
usage, and code changes in PR #209 that specifically target serialization mechanisms.