Session Cookie without Secure and HTTPOnly flags in taipy
Description
Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Taipy session cookies lack Secure and HTTPOnly flags, enabling session hijacking via XSS or MITM attacks.
Vulnerability
Overview
CVE-2024-47833 affects the Taipy open-source Python library, which is used by data scientists and machine learning engineers to build web applications. In affected versions, session cookies are served without the Secure and HTTPOnly flags [1]. The Secure flag ensures cookies are only transmitted over HTTPS, while the HTTPOnly flag prevents client-side scripts from accessing the cookie. The absence of these flags weakens the security of session management.
Exploitation
Prerequisites
An attacker can exploit this vulnerability through cross-site scripting (XSS) or man-in-the-middle (MITM) attacks. Without the HTTPOnly flag, a malicious script injected into the application can read the session cookie. Without the Secure flag, the cookie may be transmitted over unencrypted HTTP connections, allowing network-level interception [4]. The attack requires the attacker to either inject a script or be positioned on the network path between the user and the server.
Impact
Successful exploitation allows an attacker to steal a user's session cookie and impersonate that user, gaining unauthorized access to the application and its data. This can lead to data breaches, privilege escalation, and other malicious actions within the context of the compromised session.
Mitigation
The issue has been addressed in Taipy release version 4.0.0 [1]. All users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
taipyPyPI | < 4.0.0 | 4.0.0 |
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-r3jq-4r5c-j9hpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47833ghsaADVISORY
- github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsxghsaWEB
- github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hpghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/taipy/PYSEC-2024-168.yamlghsaWEB
News mentions
0No linked articles in our index yet.