Update Flask to work with Werkzeug 2.2.3 due to open CVE

[rootVIII]

Hello Flask Team:

I am aware that bug reports regarding sub-dependencies may not be welcome here, but I feel that this is too important (in my case it's most likely a complete show-stopper).

We have invested a significant amount of time building Rest APIs and webapps with Flask, and our CICD pipeline incorporates a well-known vulnerability scanner. Our build pipeline fails due to an open CVE in Werkzeug: https://nvd.nist.gov/vuln/detail/CVE-2023-23934

There are only two known versions of Werkzeug that do not have an associated CVE: 2.2.0 and the latest 2.2.3. However due to the issue ImportError: cannot import name 'parse_rule' from 'werkzeug.routing' we cannot update Werkzeueg to 2.2.3.

The recommended solution is to downgrade to Werkzeug to 2.1.2 (I believe) and that does work. However that version and all previous versions have CVEs.

Is it possible to make Flask work with the newest Werkzeug 2.2.3? As of now we cannot push any new changes into production and are basically stuck until Flask works with the newest version of Werkzeug. I could be mistaken but I think this may be the case.

And as always, thank you for the support.

Environment:

• Python version: 3.8
• Flask version: 2.2.3 (newest Flask at the time of writing this issue)

[davidism]

Flask works fine with Werkzeug 2.2.3.

It sounds like another library you're using is incompatible with recent releases. For example, in the question you linked, the error is coming from Flask-RestX, which I'm fairly sure was updated a while ago.

[davidism]

Note that the vulnerability you linked is "Low", and requires a confluence of other vulnerabilities in other places to actually get to the point of mattering in Werkzeug itself.

[rootVIII]

Actually is this for flask-restx? (someone else's project) or is it for Flask as well? It's a bit hard to tell in the logs.
Unfortunately, even the "low" ones are flagged for us :( My apologies if this is actually related to restx.

[davidism]

It's for whatever is trying to do that import that no longer exists. You didn't show a traceback, so I can't say what it is, but it's not Flask itself.

[rootVIII]

Okay thank you @davidism will close and reopen with flask-restx. The error is actually from when importing their library, but I was mistaken thinking that it was actually coming from their usage of Flask.

[davidism]

It was already reported to Flask-RestX in python-restx/flask-restx#460, fixed in python-restx/flask-restx#463, which seems to have been released in Flask-RestX 1.0.0 in November 2022.