Medium severity5.3NVD Advisory· Published Apr 19, 2024· Updated Jun 17, 2026
CVE-2024-1681
CVE-2024-1681
Description
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flask-corsPyPI | < 4.0.1 | 4.0.1 |
Affected products
19- osv-coords18 versionspkg:apk/chainguard/kubeflow-jupyter-web-apppkg:apk/chainguard/kubeflow-volumes-web-apppkg:apk/chainguard/py3.10-flask-corspkg:apk/chainguard/py3.11-flask-corspkg:apk/chainguard/py3.12-flask-corspkg:apk/chainguard/py3.13-flask-corspkg:apk/chainguard/py3-flask-corspkg:apk/chainguard/py3-supported-flask-corspkg:apk/wolfi/kubeflow-jupyter-web-apppkg:apk/wolfi/kubeflow-volumes-web-apppkg:apk/wolfi/py3.10-flask-corspkg:apk/wolfi/py3.11-flask-corspkg:apk/wolfi/py3.12-flask-corspkg:apk/wolfi/py3.13-flask-corspkg:apk/wolfi/py3-flask-corspkg:apk/wolfi/py3-supported-flask-corspkg:pypi/flask-corspkg:rpm/opensuse/python-Flask-Cors&distro=openSUSE%20Tumbleweed
< 1.8.0-r7+ 17 more
- (no CPE)range: < 1.8.0-r7
- (no CPE)range: < 1.8.0-r6
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 1.8.0-r7
- (no CPE)range: < 1.8.0-r6
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.0.1
- (no CPE)range: < 4.0.1-1.1
- Range: unspecified
Patches
Vulnerability mechanics
References
6- huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-84pr-m4jr-85g5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-1681ghsaADVISORY
- github.com/corydolphin/flask-cors/blob/40acc8092332dfed4bb54d7a4f89a6d479466de7/flask_cors/extension.pyghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/flask-cors/PYSEC-2024-271.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2025/05/msg00049.htmlnvdWEB
News mentions
0No linked articles in our index yet.