DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-F66Q-9RF6-8795: GHSA-f66q-9rf6-8795: WebAuthn Re-authentication Freshness Bypass in Flask-Security-Too

GHSA-f66q-9rf6-8795: WebAuthn Re-authentication Freshness Bypass in Flask-Security-Too

Vulnerability ID: GHSA-F66Q-9RF6-8795
CVSS Score: 5.3
Published: 2026-07-07

An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.

TL;DR

An authenticated attacker can bypass session freshness gates by submitting their own WebAuthn cryptographic signature inside a victim's stale session, gaining unauthorized access to administrative or sensitive functions.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-305
  • Attack Vector: Network
  • CVSS Score: 5.3 (Medium)
  • Exploit Status: Proof-of-Concept Available
  • Impact: Re-authentication Freshness Bypass
  • KEV Status: Not Listed

Affected Systems

  • Flask-Security-Too
  • flask-security-too: >= 5.8.0, <= 5.8.1 (Fixed in: 5.8.2)

Code Analysis

Commit: 5c44c76

Vulnerable commit exposing the WebAuthn re-authentication path to cross-user credential validation

Mitigation Strategies

  • Upgrade to flask-security-too 5.8.2 or later
  • Disable WebAuthn as a verification factor if patching is delayed
  • Monitor the authentication logs for mismatched credential owners

Remediation Steps:

  1. Locate your Python dependency definitions (e.g., requirements.txt, Pipfile, poetry.lock)
  2. Update the flask-security-too dependency requirement to at least 5.8.2
  3. Run the package installer to apply the updated library version in the deployment environments
  4. Verify that the configuration variable SECURITY_WAN_ALLOW_AS_VERIFY is properly defined if custom re-authentication controls are required

References


Read the full report for GHSA-F66Q-9RF6-8795 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)