apk package

chainguard/airflow-3

pkg:apk/chainguard/airflow-3

Vulnerabilities (98)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-21860		—	< 0	0	Jan 8, 2026	Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are i
CVE-2026-21441		—	< 3.1.5-r3	3.1.5-r3	Jan 7, 2026	urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b
CVE-2025-69230		—	< 3.2.0-r0	3.2.0-r0	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w
CVE-2025-69229		—	< 3.2.0-r0	3.2.0-r0	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method
CVE-2025-69228		—	< 3.2.0-r0	3.2.0-r0	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ
CVE-2025-69227		—	< 3.2.0-r0	3.2.0-r0	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI
CVE-2025-69225		—	< 3.2.0-r0	3.2.0-r0	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi
CVE-2025-69226		—	< 3.2.0-r0	3.2.0-r0	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica
CVE-2025-69224		—	< 3.2.0-r0	3.2.0-r0	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u
CVE-2025-69223		—	< 3.2.0-r0	3.2.0-r0	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust
CVE-2025-69277	Med	4.5	< 3.1.6-r0	3.1.6-r0	Dec 31, 2025	libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g
CVE-2025-68480	Med	5.3	< 3.1.5-r1	3.1.5-r1	Dec 22, 2025	Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request
CVE-2025-68161		—	< 3.2.0-r0	3.2.0-r0	Dec 18, 2025	The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-68146		—	< 3.1.5-r0	3.1.5-r0	Dec 16, 2025	filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows
CVE-2025-66471		—	< 3.1.4-r0	3.1.4-r0	Dec 5, 2025	urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu
CVE-2025-66418		—	< 3.1.4-r0	3.1.4-r0	Dec 5, 2025	urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a
CVE-2025-66221		—	< 0	0	Nov 29, 2025	Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc
CVE-2025-62593	Cri	—	< 3.2.0-r0	3.2.0-r0	Nov 26, 2025	Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the c
CVE-2025-62727	Hig	7.5	< 3.2.0-r0	3.2.0-r0	Oct 28, 2025	Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enabl
CVE-2025-62611	Hig	—	< 3.1.0-r3	3.1.0-r3	Oct 22, 2025	aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to creat

CVE-2026-21860Jan 8, 2026
affected < 0fixed 0
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are i
CVE-2026-21441Jan 7, 2026
affected < 3.1.5-r3fixed 3.1.5-r3
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b
CVE-2025-69230Jan 5, 2026
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w
CVE-2025-69229Jan 5, 2026
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method
CVE-2025-69228Jan 5, 2026
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ
CVE-2025-69227Jan 5, 2026
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI
CVE-2025-69225Jan 5, 2026
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi
CVE-2025-69226Jan 5, 2026
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica
CVE-2025-69224Jan 5, 2026
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u
CVE-2025-69223Jan 5, 2026
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust
CVE-2025-69277MedDec 31, 2025
affected < 3.1.6-r0fixed 3.1.6-r0
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g
CVE-2025-68480MedDec 22, 2025
affected < 3.1.5-r1fixed 3.1.5-r1
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request
CVE-2025-68161Dec 18, 2025
affected < 3.2.0-r0fixed 3.2.0-r0
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-68146Dec 16, 2025
affected < 3.1.5-r0fixed 3.1.5-r0
filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows
CVE-2025-66471Dec 5, 2025
affected < 3.1.4-r0fixed 3.1.4-r0
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu
CVE-2025-66418Dec 5, 2025
affected < 3.1.4-r0fixed 3.1.4-r0
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a
CVE-2025-66221Nov 29, 2025
affected < 0fixed 0
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc
CVE-2025-62593CriNov 26, 2025
affected < 3.2.0-r0fixed 3.2.0-r0
Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the c
CVE-2025-62727HigOct 28, 2025
affected < 3.2.0-r0fixed 3.2.0-r0
Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enabl
CVE-2025-62611HigOct 22, 2025
affected < 3.1.0-r3fixed 3.1.0-r3
aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to creat

Page 4 of 5