CVE-2021-33026

CRITICAL

Flask-Caching <1.10.1 - Code Injection

Title source: llm

Description

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

Exploits (2)

nomisec WORKING POC 4 stars

by CarlosG13 · poc

https://github.com/CarlosG13/CVE-2021-33026

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Agilevatester · poc

https://github.com/Agilevatester/FlaskCache_CVE-2021-33026_POC

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/sh4nks/flask-caching/pull/209

[Issue Tracking, Patch, Third Party Advisory] https://github.com/pallets-eco/flask-caching/pull/209#issuecomment-1136397937

Scores

CVSS v3 9.8

EPSS 0.1628

EPSS Percentile 94.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

flask-caching_project/flask-caching < 1.10.1

pypi/Flask-Caching 0PyPI

Published May 13, 2021

Tracked Since Feb 18, 2026