apk package
chainguard/metaflow-service-fips
pkg:apk/chainguard/metaflow-service-fips
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-54274 | — | < 2.5.0-r5 | 2.5.0-r5 | Jun 15, 2026 | ### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive m | ||
| CVE-2026-54275 | low | — | < 2.5.0-r5 | 2.5.0-r5 | Jun 15, 2026 | ### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reus | |
| CVE-2026-54280 | low | — | < 2.5.0-r5 | 2.5.0-r5 | Jun 15, 2026 | ### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection | |
| CVE-2026-54273 | — | < 2.5.0-r5 | 2.5.0-r5 | Jun 15, 2026 | ### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd | ||
| CVE-2026-54278 | — | < 2.5.0-r5 | 2.5.0-r5 | Jun 15, 2026 | ### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip | ||
| CVE-2026-54277 | — | < 2.5.0-r5 | 2.5.0-r5 | Jun 15, 2026 | ### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an exces | ||
| CVE-2026-54276 | — | < 2.5.0-r5 | 2.5.0-r5 | Jun 15, 2026 | ### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This likel | ||
| CVE-2026-54279 | low | — | < 2.5.0-r5 | 2.5.0-r5 | Jun 15, 2026 | ### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disall | |
| CVE-2026-45409 | Med | 5.3 | < 2.5.0-r4 | 2.5.0-r4 | Jun 5, 2026 | Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t | |
| CVE-2026-48526 | Hig | 7.4 | < 2.5.0-r5 | 2.5.0-r5 | May 28, 2026 | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer publ | |
| CVE-2026-48525 | Med | 5.3 | < 2.5.0-r5 | 2.5.0-r5 | May 28, 2026 | PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-p | |
| CVE-2026-48524 | Low | 3.7 | < 2.5.0-r5 | 2.5.0-r5 | May 28, 2026 | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can tr | |
| CVE-2026-48523 | Med | 5.4 | < 2.5.0-r5 | 2.5.0-r5 | May 28, 2026 | PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list | |
| CVE-2026-48522 | Med | 4.2 | < 2.5.0-r5 | 2.5.0-r5 | May 28, 2026 | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There i | |
| CVE-2026-44432 | Hig | 7.5 | < 2.5.0-r4 | 2.5.0-r4 | May 13, 2026 | urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w | |
| CVE-2026-44431 | Med | 5.3 | < 2.5.0-r4 | 2.5.0-r4 | May 13, 2026 | urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0. | |
| CVE-2026-34525 | Med | 5.3 | < 2.5.0-r2 | 2.5.0-r2 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4. | |
| CVE-2026-34520 | Cri | 9.1 | < 2.5.0-r2 | 2.5.0-r2 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4. | |
| CVE-2026-34519 | Med | 5.3 | < 2.5.0-r2 | 2.5.0-r2 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4. | |
| CVE-2026-34518 | Med | 5.3 | < 2.5.0-r2 | 2.5.0-r2 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in |
- CVE-2026-54274Jun 15, 2026affected < 2.5.0-r5fixed 2.5.0-r5
### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive m
- affected < 2.5.0-r5fixed 2.5.0-r5
### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reus
- affected < 2.5.0-r5fixed 2.5.0-r5
### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection
- CVE-2026-54273Jun 15, 2026affected < 2.5.0-r5fixed 2.5.0-r5
### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd
- CVE-2026-54278Jun 15, 2026affected < 2.5.0-r5fixed 2.5.0-r5
### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip
- CVE-2026-54277Jun 15, 2026affected < 2.5.0-r5fixed 2.5.0-r5
### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an exces
- CVE-2026-54276Jun 15, 2026affected < 2.5.0-r5fixed 2.5.0-r5
### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This likel
- affected < 2.5.0-r5fixed 2.5.0-r5
### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disall
- affected < 2.5.0-r4fixed 2.5.0-r4
Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t
- affected < 2.5.0-r5fixed 2.5.0-r5
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer publ
- affected < 2.5.0-r5fixed 2.5.0-r5
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-p
- affected < 2.5.0-r5fixed 2.5.0-r5
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can tr
- affected < 2.5.0-r5fixed 2.5.0-r5
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list
- affected < 2.5.0-r5fixed 2.5.0-r5
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There i
- affected < 2.5.0-r4fixed 2.5.0-r4
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w
- affected < 2.5.0-r4fixed 2.5.0-r4
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
- affected < 2.5.0-r2fixed 2.5.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
- affected < 2.5.0-r2fixed 2.5.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
- affected < 2.5.0-r2fixed 2.5.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
- affected < 2.5.0-r2fixed 2.5.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in
Page 1 of 2