VYPR

apk package

wolfi/dask-kubernetes

pkg:apk/wolfi/dask-kubernetes

Vulnerabilities (41)

  • CVE-2026-26007Feb 10, 2026
    affected < 2025.7.0-r8fixed 2025.7.0-r8

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2026-24049Jan 22, 2026
    affected < 2025.7.0-r8fixed 2025.7.0-r8

    wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil

  • CVE-2026-23949Jan 20, 2026
    affected < 2025.7.0-r6fixed 2025.7.0-r6

    jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta

  • CVE-2026-23490Jan 16, 2026
    affected < 2025.7.0-r6fixed 2025.7.0-r6

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

  • CVE-2026-23528Jan 16, 2026
    affected < 2025.7.0-r6fixed 2025.7.0-r6

    Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) b

  • CVE-2026-21441Jan 7, 2026
    affected < 2025.7.0-r5fixed 2025.7.0-r5

    urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b

  • CVE-2025-69230Jan 5, 2026
    affected < 2025.7.0-r4fixed 2025.7.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w

  • CVE-2025-69229Jan 5, 2026
    affected < 2025.7.0-r4fixed 2025.7.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method

  • CVE-2025-69228Jan 5, 2026
    affected < 2025.7.0-r4fixed 2025.7.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ

  • CVE-2025-69227Jan 5, 2026
    affected < 2025.7.0-r4fixed 2025.7.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI

  • CVE-2025-69225Jan 5, 2026
    affected < 2025.7.0-r4fixed 2025.7.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi

  • CVE-2025-69226Jan 5, 2026
    affected < 2025.7.0-r4fixed 2025.7.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica

  • CVE-2025-69224Jan 5, 2026
    affected < 2025.7.0-r4fixed 2025.7.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u

  • CVE-2025-69223Jan 5, 2026
    affected < 2025.7.0-r4fixed 2025.7.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust

  • CVE-2025-66471Dec 5, 2025
    affected < 2025.7.0-r2fixed 2025.7.0-r2

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu

  • CVE-2025-66418Dec 5, 2025
    affected < 2025.7.0-r2fixed 2025.7.0-r2

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a

  • CVE-2025-53643Jul 14, 2025
    affected < 2025.7.0-r1fixed 2025.7.0-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed

  • CVE-2025-50182Jun 19, 2025
    affected < 2025.4.3-r4fixed 2025.4.3-r4

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-50181Jun 19, 2025
    affected < 2025.4.3-r4fixed 2025.4.3-r4

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

  • CVE-2024-47081MedJun 9, 2025
    affected < 0fixed 0

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc