VYPR

apk package

chainguard/text-generation-inference-compat

pkg:apk/chainguard/text-generation-inference-compat

Vulnerabilities (14)

  • CVE-2025-68146Dec 16, 2025
    affected < 3.3.7-r0fixed 3.3.7-r0

    filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows

  • CVE-2025-6921Sep 23, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in th

  • CVE-2025-6051Sep 14, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.

  • CVE-2025-6638Sep 12, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0

  • CVE-2025-5197Aug 6, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a reg

  • CVE-2025-53643Jul 14, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed

  • CVE-2025-3933Jul 11, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The

  • CVE-2025-3777Jul 7, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. Th

  • CVE-2025-50182Jun 19, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-50181Jun 19, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

  • CVE-2025-4565Jun 16, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of s

  • CVE-2024-47081MedJun 9, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2025-47273May 17, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on

  • CVE-2025-27516Mar 5, 2025
    affected < 3.3.6-r3fixed 3.3.6-r3

    Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker nee