VYPR

apk package

chainguard/request-1276-compat

pkg:apk/chainguard/request-1276-compat

Vulnerabilities (19)

  • CVE-2025-68146Dec 16, 2025
    affected < 0.26.0-r3fixed 0.26.0-r3

    filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows

  • CVE-2025-53643Jul 14, 2025
    affected < 0.24.1-r3fixed 0.24.1-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed

  • CVE-2025-50182Jun 19, 2025
    affected < 0.26.0-r0fixed 0.26.0-r0

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-4565Jun 16, 2025
    affected < 0.24.1-r1fixed 0.24.1-r1

    Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of s

  • CVE-2024-47081MedJun 9, 2025
    affected < 0fixed 0

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2025-47273May 17, 2025
    affected < 0fixed 0

    setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on

  • CVE-2024-12797MedFeb 11, 2025
    affected < 0.23.0-r1fixed 0.23.0-r1

    Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u

  • CVE-2024-53899Nov 24, 2024
    affected < 0.23.0-r0fixed 0.23.0-r0

    virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.

  • CVE-2024-52304Nov 18, 2024
    affected < 0.22.3-r1fixed 0.22.3-r1

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai

  • CVE-2024-42367Aug 9, 2024
    affected < 0.22.3-r1fixed 0.22.3-r1

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director

  • CVE-2024-6345HigJul 15, 2024
    affected < 0.23.0-r0fixed 0.23.0-r0

    A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti

  • CVE-2024-3651Jul 7, 2024
    affected < 0.23.0-r0fixed 0.23.0-r0

    A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co

  • CVE-2024-39689Jul 5, 2024
    affected < 0.23.0-r0fixed 0.23.0-r0

    Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro

  • CVE-2024-37891Jun 17, 2024
    affected < 0.23.0-r0fixed 0.23.0-r0

    urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'

  • CVE-2024-35255Jun 11, 2024
    affected < 0.21.0-r2fixed 0.21.0-r2

    Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

  • CVE-2024-35195MedMay 20, 2024
    affected < 0.23.0-r0fixed 0.23.0-r0

    Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes

  • CVE-2024-27306Apr 18, 2024
    affected < 0.20.1-r0fixed 0.20.1-r0

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files.

  • CVE-2024-26130Feb 21, 2024
    affected < 0.23.0-r30fixed 0.23.0-r30

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided

  • CVE-2023-45803Oct 17, 2023
    affected < 0.23.0-r0fixed 0.23.0-r0

    urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GE