VULN UPGRADE: minor: Flask · patch: ddtrace [local_tests/serverless-init]

[campaigner-prod]

Summary: High-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

• local_tests/serverless-init (pip)

Updates

Package	From	To	Type	Vulnerabilities Fixed
Flask	2.1.2	2.3.3	minor	3 HIGH, 2 LOW
ddtrace	1.4.1	1.4.5	patch	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Flask	GHSA-m2qf-hxjv-5gpq	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.1.2	2.3.2
Flask	PYSEC-2023-62	HIGH	-	2.1.2	70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask	CVE-2023-30861	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.1.2	-

ℹ️ Other Vulnerabilities (2)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Flask	GHSA-68rp-wp8r-4726	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.1.2	3.1.3
Flask	CVE-2026-27205	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.1.2	-

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System