fix(deps): vuln minor: Jinja2, requests · patch: Flask [services/dbm] by gh-worker-campaigns-3e9aa4[bot] · Pull Request #192 · DataDog/storedog

gh-worker-campaigns-3e9aa4 · 2026-06-15T14:56:18Z

Summary: High-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

services/dbm (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
Flask	2.2.2	2.2.5	patch	Direct	3 HIGH, 2 LOW
Jinja2	3.0	3.1.6	minor	Direct	10 MEDIUM
requests	2.25.1	2.34.2	minor	Direct	9 MEDIUM

Security Details

🚨 Critical & High Severity (3 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Flask	GHSA-m2qf-hxjv-5gpq	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.2.2	2.3.2
Flask	CVE-2023-30861	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.2.2	-
Flask	PYSEC-2023-62	HIGH	-	2.2.2	70f906c51ce49c485f1d355703e9cc3386b1cc2b

ℹ️ Other Vulnerabilities (21)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Jinja2	GHSA-h75v-3vvj-5mfj	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0	3.1.4
Jinja2	GHSA-cpwx-vrp4-4pq7	MODERATE	Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	3.0	3.1.6
Jinja2	CVE-2025-27516	MODERATE	Jinja sandbox breakout through attr filter selecting format method	3.0	-
Jinja2	CVE-2024-22195	MODERATE	Jinja vulnerable to Cross-Site Scripting (XSS)	3.0	-
Jinja2	CVE-2024-34064	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0	-
Jinja2	GHSA-gmj6-6f8f-6699	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0	3.1.5
Jinja2	CVE-2024-56201	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0	-
Jinja2	GHSA-h5c8-rqwp-cp95	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0	3.1.3
Jinja2	CVE-2024-56326	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0	-
Jinja2	GHSA-q2x7-8rv6-6q7h	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0	3.1.5
requests	GHSA-j8r2-6x86-q33q	MODERATE	Unintended leak of Proxy-Authorization header in requests	2.25.1	2.31.0
requests	PYSEC-2023-74	MODERATE	-	2.25.1	74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5
requests	GHSA-9hjg-9r4m-mvj7	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.25.1	2.32.4
requests	CVE-2024-47081	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.25.1	-
requests	GHSA-gc5v-m9x4-r6x2	MODERATE	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	2.25.1	2.33.0
requests	CVE-2026-25645	MODERATE	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	2.25.1	-
requests	CVE-2023-32681	MODERATE	Unintended leak of Proxy-Authorization header in requests	2.25.1	-
requests	CVE-2024-35195	MODERATE	Requests `Session` object does not verify requests after making first request with verify=False	2.25.1	-
requests	GHSA-9wx4-h78v-vm56	MODERATE	Requests `Session` object does not verify requests after making first request with verify=False	2.25.1	2.32.0
Flask	GHSA-68rp-wp8r-4726	LOW	Flask session does not add `Vary: Cookie` header when accessed in some ways	2.2.2	3.1.3
Flask	CVE-2026-27205	LOW	Flask session does not add `Vary: Cookie` header when accessed in some ways	2.2.2	-

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
requests	`2.25.1`	-	`2.34.2`	`services/dbm/requirements.txt`

Review Checklist

Standard review:

Review changes for compatibility with your code
Check for breaking changes in release notes
Run tests locally or wait for CI
Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

ADMS: vuln minor: Jinja2, requests · patch: Flask [services/dbm]

988011a

gh-worker-campaigns-3e9aa4 Bot added campaigner-automated-change adms-fixes-eol adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-vulns adms-python adms-dependency-update labels Jun 15, 2026

campaigner-prod Bot marked this pull request as ready for review June 16, 2026 12:42

campaigner-prod Bot requested review from a team as code owners June 16, 2026 12:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): vuln minor: Jinja2, requests · patch: Flask [services/dbm]#192

fix(deps): vuln minor: Jinja2, requests · patch: Flask [services/dbm]#192
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/pip/dbm/3-1781535367

gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

gh-worker-campaigns-3e9aa4 Bot commented Jun 15, 2026

Updates

Security Details

Review Checklist

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants