[Buildroot] [git commit branch/2025.05.x] package/python-flask-cors: security bump to v6.0.1

Thomas Perale thomas.perale at mind.be
Thu Sep 11 15:14:23 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=3956c292d4407d27170752ae3a91ab22b336d6c2
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2025.05.x

This is a major version bump, because it could break user code that depends
on the (wrong) previous logic fixed by the new release

See the release notes:
- https://github.com/corydolphin/flask-cors/releases/tag/6.0.0
- https://github.com/corydolphin/flask-cors/releases/tag/6.0.1

This fixes the following vulnerabilities:
- CVE-2024-6839:
    corydolphin/flask-cors version 4.0.1 contains an improper regex path
    matching vulnerability. The plugin prioritizes longer regex patterns
    over more specific ones when matching paths, which can lead to less
    restrictive CORS policies being applied to sensitive endpoints. This
    mismatch in regex pattern priority allows unauthorized cross-origin
    access to sensitive data or functionality, potentially exposing
    confidential information and increasing the risk of unauthorized
    actions by malicious actors.
    https://www.cve.org/CVERecord?id=CVE-2024-6839

- CVE-2024-6844:
    A vulnerability in corydolphin/flask-cors version 4.0.1 allows for
    inconsistent CORS matching due to the handling of the '+' character in
    URL paths. The request.path is passed through the unquote_plus
    function, which converts the '+' character to a space ' '. This
    behavior leads to incorrect path normalization, causing potential
    mismatches in CORS configuration. As a result, endpoints may not be
    matched correctly to their CORS settings, leading to unexpected CORS
    policy application. This can cause unauthorized cross-origin access or
    block valid requests, creating security vulnerabilities and usability
    issues.
    https://www.cve.org/CVERecord?id=CVE-2024-6844

- CVE-2024-6866:
    corydolphin/flask-cors version 4.01 contains a vulnerability where the
    request path matching is case-insensitive due to the use of the
    `try_match` function, which is originally intended for matching hosts.
    This results in a mismatch because paths in URLs are case-sensitive,
    but the regex matching treats them as case-insensitive. This
    misconfiguration can lead to significant security vulnerabilities,
    allowing unauthorized origins to access paths meant to be restricted,
    resulting in data exposure and potential data leaks.
    https://www.cve.org/CVERecord?id=CVE-2024-6866

Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
(cherry picked from commit 04cd135b26406dcc31cb66af1480d53fffe81e59)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 package/python-flask-cors/python-flask-cors.hash | 4 ++--
 package/python-flask-cors/python-flask-cors.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/python-flask-cors/python-flask-cors.hash b/package/python-flask-cors/python-flask-cors.hash
index 41c232df36..7070b5462e 100644
--- a/package/python-flask-cors/python-flask-cors.hash
+++ b/package/python-flask-cors/python-flask-cors.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/flask-cors/json
-md5  a6e8202cc008ef6f70ce75a7ae7f8d9d  flask_cors-5.0.0.tar.gz
-sha256  5aadb4b950c4e93745034594d9f3ea6591f734bb3662e16e255ffbf5e89c88ef  flask_cors-5.0.0.tar.gz
+md5  2879503d54f25a4cacb62f7060b96e14  flask_cors-6.0.1.tar.gz
+sha256  d81bcb31f07b0985be7f48406247e9243aced229b7747219160a0559edd678db  flask_cors-6.0.1.tar.gz
 # Locally computed sha256 checksums
 sha256  6e1a1bdc54834c1e0740cbce5d5f6f2cae1c846fd2a7f482b11649594fafbd5d  LICENSE
diff --git a/package/python-flask-cors/python-flask-cors.mk b/package/python-flask-cors/python-flask-cors.mk
index 1119648370..d0923d665b 100644
--- a/package/python-flask-cors/python-flask-cors.mk
+++ b/package/python-flask-cors/python-flask-cors.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PYTHON_FLASK_CORS_VERSION = 5.0.0
+PYTHON_FLASK_CORS_VERSION = 6.0.1
 PYTHON_FLASK_CORS_SOURCE = flask_cors-$(PYTHON_FLASK_CORS_VERSION).tar.gz
 PYTHON_FLASK_CORS_SITE = https://files.pythonhosted.org/packages/4f/d0/d9e52b154e603b0faccc0b7c2ad36a764d8755ef4036acbf1582a67fb86b
 PYTHON_FLASK_CORS_SETUP_TYPE = setuptools

More information about the buildroot mailing list