Integer Overflow in Flask with Hmac Signatures

An integer overflow can occur in a Flask application that uses HMAC signatures for request authentication when the application parses a numeric payload (e.g., amount, user ID, or timestamp) and incorporates it into the data that is signed or verified. If the application uses a fixed-size integer type or performs arithmetic on values without validating magnitude, an attacker can supply a large numeric value that wraps around, producing an incorrect but valid-looking result. This can lead to incorrect authorization decisions or logic bypass when the signature verification process relies on the overflowing value.

Consider a Flask route that signs a JSON payload containing an amount field using an HMAC. The server reads amount as a 32-bit signed integer, adds a constant fee, and then signs or verifies the combined value. If amount is near the maximum 32-bit integer (2,147,483647), adding the fee can overflow to a small negative or zero value. Because the signature is computed over the numeric result, an attacker can craft an input that overflows to a value the server treats as valid, while the server’s computed HMAC may still match due to the overflowed result being used in the signing step. This is especially relevant when the server and client compute signatures independently and compare them, or when the server trusts the client-supplied numeric field in the signature verification flow.

In practice, this risk appears when the API design exposes numeric fields that influence authorization or business logic and those fields are included in the HMAC input. For example, an endpoint that accepts order_id and total_cents in the signed string can be abused if total_cents overflows and wraps, yet the HMAC remains valid. Because the signature covers the overflowing value, the server may accept the request as authentic, leading to incorrect pricing, privilege escalation, or transaction manipulation. The issue is not the HMAC algorithm itself, but the way numeric values are handled before being fed into the signing or verification process.

An OpenAPI specification that describes such a flow might define a parameter as format: int32, which does not prevent an application from performing unsafe arithmetic. During scanning, middleware security checks can identify mismatches between expected numeric ranges and runtime behavior, highlighting where integer overflow could affect signature validation. Even when using robust libraries for HMAC in Flask, developers must ensure that values used in signature construction are validated, bounded, and converted to arbitrary-precision representations (e.g., Python’s int) before being included in the signed string.

To prevent integer overflow issues in Flask when using HMAC signatures, treat all numeric inputs as untrusted and validate their range before using them in signature computation. Use Python’s arbitrary-precision integers and enforce explicit bounds for fields such as amounts, identifiers, or timestamps. Avoid performing arithmetic that could overflow on fixed-size integers, and ensure the same canonicalization logic is applied on both client and server.

Below is a secure example of computing and verifying an HMAC signature in Flask, where the signed payload excludes raw user-controlled numeric fields or includes them only after validation and safe conversion.

import hmac
import hashlib
import json
from flask import Flask, request, abort

app = Flask(__name__)
SECRET_KEY = b'your-secure-secret'

def compute_signature(data: dict) -> str:
    """Compute HMAC-SHA256 over a canonical JSON string."""
    payload = json.dumps(data, separators=(',', ':'), sort_keys=True)
    return hmac.new(SECRET_KEY, payload.encode('utf-8'), hashlib.sha256).hexdigest()

@app.route('/order', methods=['POST'])
def create_order():
    body = request.get_json(force=True)
    amount_cents = body.get('amount_cents')

    # Validate and safely convert to prevent overflow issues
    if not isinstance(amount_cents, int) or amount_cents < 0 or amount_cents > 10_000_000:
        abort(400, 'Invalid amount')

    # Use safe, bounded values in the signed payload
    safe_data = {
        'order_id': str(body['order_id']),
        'amount_cents': amount_cents,
        'currency': 'usd'
    }
    expected_signature = compute_signature(safe_data)
    provided_signature = request.headers.get('X-Signature')

    if not hmac.compare_digest(expected_signature, provided_signature):
        abort(401, 'Invalid signature')

    return {'status': 'ok', 'amount_cents': amount_cents}

In this example, amount_cents is validated as a Python integer within an acceptable range before inclusion in the signed payload. By avoiding raw concatenation or unsafe casts, the code prevents integer overflow from affecting the HMAC. The server computes the signature over a canonical representation and uses a constant-time comparison to mitigate timing attacks. For broader protection, combine this approach with schema validation and continuous monitoring through the middleBrick Pro plan, which can flag inconsistencies between declared numeric ranges and runtime behavior.

When integrating HMAC-based authentication in Flask, prefer explicit serialization rules and avoid including unchecked user input directly in the signed string. The CLI tool (middlebrick scan <url>) can help identify endpoints where numeric fields are included in signature input without proper validation. For teams needing automated policy enforcement in development workflows, the GitHub Action adds API security checks to CI/CD pipelines and can fail builds if insecure patterns are detected. These measures reduce the likelihood that integer overflow or similar logic errors undermine the integrity of HMAC-signed requests.