MEDIUM 5.3

PYSEC-2024-271

Details

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / flask-cors

Introduced in: 0

No fixed version published yet for flask-cors (pip). Pin to a known-safe version or switch to an alternative.

References

https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html [WEB]
https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 [EVIDENCE]
https://github.com/advisories/GHSA-84pr-m4jr-85g5 [ADVISORY]