Flask

registryPyPI

package nameflask

maintainerPallets

Flask is the most widely used Python microframework for web APIs and web applications. Its minimal core and extension ecosystem make it a common choice for small APIs, prototypes, and internal tools. Flask applications often run with elevated privileges or access to sensitive environment variables in production.

api usage

Checking Flask

flask 3.0.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=flask&version=3.0.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "flask",
  "version": "3.0.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

As the request/response dispatcher, Flask processes every HTTP request before any route handler or extension runs. A backdoored version has access to request bodies, headers, cookies, and session data before any application-level processing.

Attestd monitors flask using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages Django FastAPI SQLAlchemy Celery Response fields