Overview
The CVE-2021-33026 vulnerability affects the Flask-Caching extension up to version 1.10.1, which uses Python's pickle-based serialization for cache entries. If an attacker can access the cache storage (e.g., filesystem, Redis, Memcached), they can place a crafted pickle payload that, when deserialized, could execute arbitrary Python code on the server. This creates a remote code execution risk tied to cache persistence or cache backends, and in some configurations may lead to local privilege escalation. Note that third-party analyses suggest exploitation is extremely unlikely unless an attacker already has significant access, but the risk is real in misconfigured or exposed cache scenarios. This CVE is categorized under CWE-502 (Deserialization of Untrusted Data).
Affected Versions
Flask-Caching <= 1.10.1
Code Fix Example
Flask API Security Remediation
Vulnerable pattern:
from flask import Flask
from flask_caching import Cache
app = Flask(__name__)
app.config['CACHE_TYPE'] = 'RedisCache'
app.config['CACHE_REDIS_URL'] = 'redis://localhost:6379/0'
cache = Cache(app)
@app.route('/get/<key>')
def get_value(key):
value = cache.get(key)
if value is None:
value = {'key': key, 'value': 'computed'}
cache.set(key, value)
return str(value)
FIXED pattern:
from flask import Flask, jsonify
from flask_caching import Cache
app = Flask(__name__)
app.config['CACHE_TYPE'] = 'RedisCache'
app.config['CACHE_REDIS_URL'] = 'redis://localhost:6379/0'
# Use a safe serializer to avoid pickle-based deserialization
app.config['CACHE_SERIALIZER'] = 'json'
cache = Cache(app)
@app.route('/get/<key>')
def get_value_fixed(key):
value = cache.get(key)
if value is None:
value = {'key': key, 'value': 'computed'}
cache.set(key, value)
return jsonify(value)