VYPR

apk package

chainguard/py3.9-pip

pkg:apk/chainguard/py3.9-pip

Vulnerabilities (5)

  • CVE-2026-44431MedMay 13, 2026
    affected < 25.3-r0fixed 25.3-r0

    urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

  • CVE-2025-8869MedSep 24, 2025
    affected < 25.2-r1fixed 25.2-r1

    When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by usi

  • CVE-2025-50182Jun 19, 2025
    affected < 25.1.1-r0fixed 25.1.1-r0

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2024-47081MedJun 9, 2025
    affected < 25.2-r0fixed 25.2-r0

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2018-20225HigMay 8, 2020
    affected < 0fixed 0

    An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the