VYPR

apk package

chainguard/airflow-2

pkg:apk/chainguard/airflow-2

Vulnerabilities (76)

  • CVE-2025-62611HigOct 22, 2025
    affected < 2.11.0-r15fixed 2.11.0-r15

    aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to creat

  • CVE-2025-8869MedSep 24, 2025
    affected < 2.11.2-r5fixed 2.11.2-r5

    When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by usi

  • CVE-2025-58754Sep 12, 2025
    affected < 2.11.0-r15fixed 2.11.0-r15

    Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire

  • CVE-2025-57804MedAug 25, 2025
    affected < 2.11.0-r12fixed 2.11.0-r12

    h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to

  • CVE-2025-7783CriJul 18, 2025
    affected < 2.11.0-r15fixed 2.11.0-r15

    Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

  • CVE-2025-50182Jun 19, 2025
    affected < 2.11.0-r5fixed 2.11.0-r5

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-50181Jun 19, 2025
    affected < 2.11.0-r5fixed 2.11.0-r5

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

  • CVE-2025-27152Mar 7, 2025
    affected < 2.11.0-r15fixed 2.11.0-r15

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka

  • CVE-2024-52338Nov 28, 2024
    affected < 2.11.0-r15fixed 2.11.0-r15

    Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-suppli

  • CVE-2024-21538HigNov 8, 2024
    affected < 2.11.0-r15fixed 2.11.0-r15

    Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted

  • CVE-2024-49767Oct 25, 2024
    affected < 2.11.1-r0fixed 2.11.1-r0

    Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively

  • CVE-2024-49766Oct 25, 2024
    affected < 2.11.1-r0fixed 2.11.1-r0

    Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended

  • CVE-2024-39338Aug 9, 2024
    affected < 2.11.0-r15fixed 2.11.0-r15

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

  • CVE-2024-34069May 6, 2024
    affected < 2.11.1-r0fixed 2.11.1-r0

    Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain

  • CVE-2023-46136HigOct 25, 2023
    affected < 2.11.1-r0fixed 2.11.1-r0

    Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are

  • CVE-2015-7764HigAug 9, 2017
    affected < 2.11.0-r15fixed 2.11.0-r15

    Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode.

Page 4 of 4