apk package
chainguard/text-generation-inference
pkg:apk/chainguard/text-generation-inference
Vulnerabilities (41)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34515 | Hig | 7.5 | < 3.3.7-r10 | 3.3.7-r10 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4. | |
| CVE-2026-34514 | Med | 5.3 | < 3.3.7-r10 | 3.3.7-r10 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4. | |
| CVE-2026-34513 | Hig | 7.5 | < 3.3.7-r10 | 3.3.7-r10 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4. | |
| CVE-2026-22815 | Hig | 7.5 | < 3.3.7-r10 | 3.3.7-r10 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4. | |
| CVE-2026-25645 | — | < 3.3.7-r9 | 3.3.7-r9 | Mar 25, 2026 | Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid | ||
| CVE-2026-4539 | Low | 3.3 | < 3.3.7-r9 | 3.3.7-r9 | Mar 22, 2026 | A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit | |
| CVE-2026-25087 | — | < 3.3.7-r15 | 3.3.7-r15 | Feb 17, 2026 | Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as B | ||
| CVE-2025-68146 | — | < 3.3.7-r0 | 3.3.7-r0 | Dec 16, 2025 | filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows | ||
| CVE-2025-6921 | — | < 3.3.6-r3 | 3.3.6-r3 | Sep 23, 2025 | The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in th | ||
| CVE-2025-6051 | — | < 3.3.7-r9 | 3.3.7-r9 | Sep 14, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4. | ||
| CVE-2025-6638 | — | < 3.3.6-r3 | 3.3.6-r3 | Sep 12, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0 | ||
| CVE-2025-5197 | — | < 3.3.7-r9 | 3.3.7-r9 | Aug 6, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a reg | ||
| CVE-2025-53643 | — | < 3.3.6-r3 | 3.3.6-r3 | Jul 14, 2025 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed | ||
| CVE-2025-3933 | — | < 3.3.7-r9 | 3.3.7-r9 | Jul 11, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The | ||
| CVE-2025-3777 | — | < 3.3.6-r3 | 3.3.6-r3 | Jul 7, 2025 | Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. Th | ||
| CVE-2025-50182 | — | < 3.3.6-r3 | 3.3.6-r3 | Jun 19, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque | ||
| CVE-2025-50181 | — | < 3.3.6-r3 | 3.3.6-r3 | Jun 19, 2025 | urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl | ||
| CVE-2025-4565 | — | < 3.3.6-r3 | 3.3.6-r3 | Jun 16, 2025 | Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of s | ||
| CVE-2024-47081 | Med | 5.3 | < 3.3.6-r3 | 3.3.6-r3 | Jun 9, 2025 | Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc | |
| CVE-2025-47273 | — | < 3.3.6-r3 | 3.3.6-r3 | May 17, 2025 | setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on |
- affected < 3.3.7-r10fixed 3.3.7-r10
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
- affected < 3.3.7-r10fixed 3.3.7-r10
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
- affected < 3.3.7-r10fixed 3.3.7-r10
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
- affected < 3.3.7-r10fixed 3.3.7-r10
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
- CVE-2026-25645Mar 25, 2026affected < 3.3.7-r9fixed 3.3.7-r9
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid
- affected < 3.3.7-r9fixed 3.3.7-r9
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit
- CVE-2026-25087Feb 17, 2026affected < 3.3.7-r15fixed 3.3.7-r15
Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as B
- CVE-2025-68146Dec 16, 2025affected < 3.3.7-r0fixed 3.3.7-r0
filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows
- CVE-2025-6921Sep 23, 2025affected < 3.3.6-r3fixed 3.3.6-r3
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in th
- CVE-2025-6051Sep 14, 2025affected < 3.3.7-r9fixed 3.3.7-r9
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.
- CVE-2025-6638Sep 12, 2025affected < 3.3.6-r3fixed 3.3.6-r3
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0
- CVE-2025-5197Aug 6, 2025affected < 3.3.7-r9fixed 3.3.7-r9
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a reg
- CVE-2025-53643Jul 14, 2025affected < 3.3.6-r3fixed 3.3.6-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed
- CVE-2025-3933Jul 11, 2025affected < 3.3.7-r9fixed 3.3.7-r9
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The
- CVE-2025-3777Jul 7, 2025affected < 3.3.6-r3fixed 3.3.6-r3
Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. Th
- CVE-2025-50182Jun 19, 2025affected < 3.3.6-r3fixed 3.3.6-r3
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque
- CVE-2025-50181Jun 19, 2025affected < 3.3.6-r3fixed 3.3.6-r3
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl
- CVE-2025-4565Jun 16, 2025affected < 3.3.6-r3fixed 3.3.6-r3
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of s
- affected < 3.3.6-r3fixed 3.3.6-r3
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc
- CVE-2025-47273May 17, 2025affected < 3.3.6-r3fixed 3.3.6-r3
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on
Page 2 of 3