VYPR

apk package

chainguard/localstack-compat

pkg:apk/chainguard/localstack-compat

Vulnerabilities (13)

  • CVE-2025-68131Dec 31, 2025
    affected < 4.12.0-r1fixed 4.12.0-r1

    cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28)

  • CVE-2025-66221Nov 29, 2025
    affected < 4.11.1-r1fixed 4.11.1-r1

    Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc

  • CVE-2025-65015Nov 18, 2025
    affected < 4.10.0-r1fixed 4.10.0-r1

    joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token part

  • CVE-2025-57804MedAug 25, 2025
    affected < 4.7.0-r5fixed 4.7.0-r5

    h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to

  • CVE-2025-50182Jun 19, 2025
    affected < 4.10.0-r0fixed 4.10.0-r0

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-22874HigJun 11, 2025
    affected < 4.10.0-r0fixed 4.10.0-r0

    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

  • CVE-2025-48734May 28, 2025
    affected < 4.10.0-r0fixed 4.10.0-r0

    Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no

  • CVE-2025-47273May 17, 2025
    affected < 0fixed 0

    setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on

  • CVE-2025-43859CriApr 24, 2025
    affected < 4.3.0-r1fixed 4.3.0-r1

    h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since explo

  • CVE-2024-12797MedFeb 11, 2025
    affected < 4.1.1-r2fixed 4.1.1-r2

    Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u

  • CVE-2024-56326Dec 23, 2024
    affected < 4.1.0-r0fixed 4.1.0-r0

    Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t

  • CVE-2024-56201Dec 23, 2024
    affected < 4.1.0-r0fixed 4.1.0-r0

    Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit

  • CVE-2023-45288HigApr 4, 2024
    affected < 4.1.0-r0fixed 4.1.0-r0

    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma