Overview
In production, Flask apps frequently rely on caching to improve performance. CVE-2021-33026 describes a vulnerability in the Flask-Caching extension up to version 1.10.1 that uses Python's Pickle for serialization. If an attacker gains write access to the cache storage (Redis, Memcached, filesystem, etc.), they can craft payloads that are deserialized when retrieved, potentially leading to remote code execution or local privilege escalation. The CVE references CWE-502 (Deserialization of Untrusted Data) as the underlying weakness. Note that third-party analyses indicate exploitation is extremely unlikely unless the machine is already compromised or the attacker can write to the cache; however, this remains a dangerous misconfiguration risk that should be remediated. Reference CVE-2021-33026 explicitly when auditing dependencies and patch levels.
Affected Versions
Flask-Caching <= 1.10.1
Code Fix Example
Flask API Security Remediation
VULNERABLE_PATTERN:
from flask import Flask
from flask_caching import Cache
import os
app = Flask(__name__)
# Vulnerable: using a cache backend with pickle serialization that can be modified by an attacker
cache = Cache(app, config={
'CACHE_TYPE': 'RedisCache',
'CACHE_REDIS_URL': 'redis://localhost:6379/0',
'CACHE_DEFAULT_TIMEOUT': 300,
'CACHE_SERIALIZER': 'pickle'
})
@cache.cached(timeout=60, key_prefix='get_config')
def get_config():
return {'secret': os.urandom(16).hex()}
FIX:
from flask import Flask
from flask_caching import Cache
import os
app = Flask(__name__)
# Fixed: use JSON serializer (safer) and/or upgrade to patched Flask-Caching version
cache = Cache(app, config={
'CACHE_TYPE': 'RedisCache',
'CACHE_REDIS_URL': 'redis://localhost:6379/0',
'CACHE_DEFAULT_TIMEOUT': 300,
'CACHE_SERIALIZER': 'json'
})
@cache.cached(timeout=60, key_prefix='get_config')
def get_config():
return {'secret': os.urandom(16).hex()}