Flask Fallback Key Mismanagement Vulnerability in Session Signing

A vulnerability in Flask version 3.1.0 allows for improper management of fallback keys used in session signing. The issue arises because the framework reverses the order of key prioritization, leading to the last fallback key being used for signing instead of the current key. This misconfiguration affects sites that have enabled key rotation through the `SECRET_KEY_FALLBACKS` setting, causing them to inadvertently sign sessions with outdated keys. As a result, the transition to newer keys is disrupted, although it is important to note that session signing remains intact, preventing any loss of data integrity.

Impact

This vulnerability could lead to sessions being signed with stale keys, disrupting the key rotation process and potentially causing issues when trying to validate or unsign sessions with the current key.

Reproduction

To reproduce this vulnerability, set up a Flask application and configure it to use key rotation by adding old secret keys to the `SECRET_KEY_FALLBACKS` setting. Then, observe that the last key in the fallback list is used for signing, rather than the most recent key, which can lead to sessions being signed with outdated keys.

Remediation

Users can upgrade to Flask version 3.1.1, which addresses this vulnerability by correcting the order in which keys are applied for signing.