Critical
High
Medium
Low
Secrets
Misconfig
| Severity | CVE ID | Package | Installed | Fixed In | Description |
|---|---|---|---|---|---|
| MEDIUM | CVE-2025-27516 | Jinja2 | 3.1.5 | 3.1.6 | jinja2: Jinja sandbox breakout through attr filter selecting format method |
| CRITICAL | CVE-2025-43859 | h11 | 0.14.0 | 0.16.0 | h11: h11 accepts some malformed Chunked-Encoding bodies |
| MEDIUM | CVE-2025-67221 | orjson | 3.10.15 | No fix | orjson: orjson: Denial of Service due to unbounded recursion with deeply nested JSON documents |
| HIGH | CVE-2026-24486 | python-multipart | 0.0.20 | 0.0.22 | python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability |
| HIGH | CVE-2025-62727 | starlette | 0.45.3 | 0.49.1 | starlette: Starlette DoS via Range header merging |
| MEDIUM | CVE-2025-54121 | starlette | 0.45.3 | 0.47.2 | starlette: Starlette denial-of-service |
| Type | File | Line | Match |
|---|---|---|---|
| ✅ No secrets found | |||
| Severity | ID | Check | File | Message |
|---|---|---|---|---|
| HIGH | DS-0029 | 'apt-get' missing '--no-install-recommends' | Dockerfile | '--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y ffmpeg && rm |
{
"SchemaVersion": 2,
"Trivy": {
"Version": "0.69.0"
},
"ReportID": "019ce5b0-b043-78b3-9202-d6515659ade8",
"CreatedAt": "2026-03-13T05:34:47.875571596Z",
"ArtifactID": "sha256:24404ba4b10384602987fe6581b91a8aa7b1a8343edf8a4c449e5464e805b39d",
"ArtifactName": "/src",
"ArtifactType": "repository",
"Metadata": {
"RepoURL": "https://github.com/eizen-ai/eizen-linkedin-service.git",
"Branch": "code-refactor-v1",
"Commit": "a19643ad586b7099c9eecadd7c843894ffc68d7c",
"CommitMsg": "code-refactoring",
"Author": "eizen-prasad <prasad.ayithireddi@eizen.ai>",
"Committer": "eizen-prasad <prasad.ayithireddi@eizen.ai>"
},
"Results": [
{
"Target": "requirements.txt",
"Class": "lang-pkgs",
"Type": "pip",
"Packages": [
{
"Name": "Jinja2",
"Identifier": {
"PURL": "pkg:pypi/jinja2@3.1.5",
"UID": "94e7ca9e0915135b"
},
"Version": "3.1.5",
"Locations": [
{
"StartLine": 15,
"EndLine": 15
}
],
"AnalyzedBy": "pip"
},
{
"Name": "MarkupSafe",
"Identifier": {
"PURL": "pkg:pypi/markupsafe@3.0.2",
"UID": "43eff7787dd61f2b"
},
"Version": "3.0.2",
"Locations": [
{
"StartLine": 17,
"EndLine": 17
}
],
"AnalyzedBy": "pip"
},
{
"Name": "PyYAML",
"Identifier": {
"PURL": "pkg:pypi/pyyaml@6.0.2",
"UID": "f2ea8b6ed1fb69e4"
},
"Version": "6.0.2",
"Locations": [
{
"StartLine": 27,
"EndLine": 27
}
],
"AnalyzedBy": "pip"
},
{
"Name": "Pygments",
"Identifier": {
"PURL": "pkg:pypi/pygments@2.19.1",
"UID": "eeaf6fd8b3d25c0a"
},
"Version": "2.19.1",
"Locations": [
{
"StartLine": 24,
"EndLine": 24
}
],
"AnalyzedBy": "pip"
},
{
"Name": "annotated-types",
"Identifier": {
"PURL": "pkg:pypi/annotated-types@0.7.0",
"UID": "b9d1b278e1f8ff8f"
},
"Version": "0.7.0",
"Locations": [
{
"StartLine": 1,
"EndLine": 1
}
],
"AnalyzedBy": "pip"
},
{
"Name": "anyio",
"Identifier": {
"PURL": "pkg:pypi/anyio@4.8.0",
"UID": "492d5e83beff65ba"
},
"Version": "4.8.0",
"Locations": [
{
"StartLine": 2,
"EndLine": 2
}
],
"AnalyzedBy": "pip"
},
{
"Name": "boto3",
"Identifier": {
"PURL": "pkg:pypi/boto3@1.42.46",
"UID": "8119509d05388f66"
},
"Version": "1.42.46",
"Locations": [
{
"StartLine": 41,
"EndLine": 41
}
],
"AnalyzedBy": "pip"
},
{
"Name": "certifi",
"Identifier": {
"PURL": "pkg:pypi/certifi@2025.1.31",
"UID": "f106f17482c90b34"
},
"Version": "2025.1.31",
"Locations": [
{
"StartLine": 3,
"EndLine": 3
}
],
"AnalyzedBy": "pip"
},
{
"Name": "click",
"Identifier": {
"PURL": "pkg:pypi/click@8.1.8",
"UID": "ba4845912e3d8aba"
},
"Version": "8.1.8",
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"AnalyzedBy": "pip"
},
{
"Name": "dnspython",
"Identifier": {
"PURL": "pkg:pypi/dnspython@2.7.0",
"UID": "a96d933ea4bd965a"
},
"Version": "2.7.0",
"Locations": [
{
"StartLine": 5,
"EndLine": 5
}
],
"AnalyzedBy": "pip"
},
{
"Name": "email_validator",
"Identifier": {
"PURL": "pkg:pypi/email-validator@2.2.0",
"UID": "b0a63712203fa3a8"
},
"Version": "2.2.0",
"Locations": [
{
"StartLine": 6,
"EndLine": 6
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fastapi",
"Identifier": {
"PURL": "pkg:pypi/fastapi@0.115.8",
"UID": "b04c9231bfb09cdb"
},
"Version": "0.115.8",
"Locations": [
{
"StartLine": 7,
"EndLine": 7
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fastapi-cli",
"Identifier": {
"PURL": "pkg:pypi/fastapi-cli@0.0.7",
"UID": "993fba3686f4f176"
},
"Version": "0.0.7",
"Locations": [
{
"StartLine": 8,
"EndLine": 8
}
],
"AnalyzedBy": "pip"
},
{
"Name": "h11",
"Identifier": {
"PURL": "pkg:pypi/h11@0.14.0",
"UID": "80d2cac810fa3b4e"
},
"Version": "0.14.0",
"Locations": [
{
"StartLine": 9,
"EndLine": 9
}
],
"AnalyzedBy": "pip"
},
{
"Name": "httpcore",
"Identifier": {
"PURL": "pkg:pypi/httpcore@1.0.7",
"UID": "bc4e883764712e0b"
},
"Version": "1.0.7",
"Locations": [
{
"StartLine": 10,
"EndLine": 10
}
],
"AnalyzedBy": "pip"
},
{
"Name": "httptools",
"Identifier": {
"PURL": "pkg:pypi/httptools@0.6.4",
"UID": "1b9e06c247d46e4d"
},
"Version": "0.6.4",
"Locations": [
{
"StartLine": 11,
"EndLine": 11
}
],
"AnalyzedBy": "pip"
},
{
"Name": "httpx",
"Identifier": {
"PURL": "pkg:pypi/httpx@0.28.1",
"UID": "4d4b462fefd8372f"
},
"Version": "0.28.1",
"Locations": [
{
"StartLine": 12,
"EndLine": 12
}
],
"AnalyzedBy": "pip"
},
{
"Name": "idna",
"Identifier": {
"PURL": "pkg:pypi/idna@3.10",
"UID": "14504d6fe7a7552f"
},
"Version": "3.10",
"Locations": [
{
"StartLine": 13,
"EndLine": 13
}
],
"AnalyzedBy": "pip"
},
{
"Name": "itsdangerous",
"Identifier": {
"PURL": "pkg:pypi/itsdangerous@2.2.0",
"UID": "94e726aa59b4cc6f"
},
"Version": "2.2.0",
"Locations": [
{
"StartLine": 14,
"EndLine": 14
}
],
"AnalyzedBy": "pip"
},
{
"Name": "loguru",
"Identifier": {
"PURL": "pkg:pypi/loguru@0.7.3",
"UID": "4f2bd7fca9859b76"
},
"Version": "0.7.3",
"Locations": [
{
"StartLine": 42,
"EndLine": 42
}
],
"AnalyzedBy": "pip"
},
{
"Name": "markdown-it-py",
"Identifier": {
"PURL": "pkg:pypi/markdown-it-py@3.0.0",
"UID": "12f684afe01d46bd"
},
"Version": "3.0.0",
"Locations": [
{
"StartLine": 16,
"EndLine": 16
}
],
"AnalyzedBy": "pip"
},
{
"Name": "mdurl",
"Identifier": {
"PURL": "pkg:pypi/mdurl@0.1.2",
"UID": "2163e71a4e464569"
},
"Version": "0.1.2",
"Locations": [
{
"StartLine": 18,
"EndLine": 18
}
],
"AnalyzedBy": "pip"
},
{
"Name": "orjson",
"Identifier": {
"PURL": "pkg:pypi/orjson@3.10.15",
"UID": "297d4913f6a6ac7e"
},
"Version": "3.10.15",
"Locations": [
{
"StartLine": 19,
"EndLine": 19
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pydantic",
"Identifier": {
"PURL": "pkg:pypi/pydantic@2.10.6",
"UID": "bcfbf8efc9c89a0e"
},
"Version": "2.10.6",
"Locations": [
{
"StartLine": 20,
"EndLine": 20
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pydantic-extra-types",
"Identifier": {
"PURL": "pkg:pypi/pydantic-extra-types@2.10.2",
"UID": "b3d276a728fddfc8"
},
"Version": "2.10.2",
"Locations": [
{
"StartLine": 21,
"EndLine": 21
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pydantic-settings",
"Identifier": {
"PURL": "pkg:pypi/pydantic-settings@2.8.0",
"UID": "bb3cb53c13c95e33"
},
"Version": "2.8.0",
"Locations": [
{
"StartLine": 22,
"EndLine": 22
}
],
"AnalyzedBy": "pip"
},
{
"Name": "pydantic_core",
"Identifier": {
"PURL": "pkg:pypi/pydantic-core@2.27.2",
"UID": "ccec86ce514b0dda"
},
"Version": "2.27.2",
"Locations": [
{
"StartLine": 23,
"EndLine": 23
}
],
"AnalyzedBy": "pip"
},
{
"Name": "python-dotenv",
"Identifier": {
"PURL": "pkg:pypi/python-dotenv@1.0.1",
"UID": "aa0161c8af991eee"
},
"Version": "1.0.1",
"Locations": [
{
"StartLine": 25,
"EndLine": 25
}
],
"AnalyzedBy": "pip"
},
{
"Name": "python-multipart",
"Identifier": {
"PURL": "pkg:pypi/python-multipart@0.0.20",
"UID": "b7313b19666f5d04"
},
"Version": "0.0.20",
"Locations": [
{
"StartLine": 26,
"EndLine": 26
}
],
"AnalyzedBy": "pip"
},
{
"Name": "rich",
"Identifier": {
"PURL": "pkg:pypi/rich@13.9.4",
"UID": "1aa249cf1b63ba03"
},
"Version": "13.9.4",
"Locations": [
{
"StartLine": 28,
"EndLine": 28
}
],
"AnalyzedBy": "pip"
},
{
"Name": "rich-toolkit",
"Identifier": {
"PURL": "pkg:pypi/rich-toolkit@0.13.2",
"UID": "2e89c6e41f5ec454"
},
"Version": "0.13.2",
"Locations": [
{
"StartLine": 29,
"EndLine": 29
}
],
"AnalyzedBy": "pip"
},
{
"Name": "shellingham",
"Identifier": {
"PURL": "pkg:pypi/shellingham@1.5.4",
"UID": "5ea1ca666537744f"
},
"Version": "1.5.4",
"Locations": [
{
"StartLine": 30,
"EndLine": 30
}
],
"AnalyzedBy": "pip"
},
{
"Name": "sniffio",
"Identifier": {
"PURL": "pkg:pypi/sniffio@1.3.1",
"UID": "a40e3eac6767669c"
},
"Version": "1.3.1",
"Locations": [
{
"StartLine": 31,
"EndLine": 31
}
],
"AnalyzedBy": "pip"
},
{
"Name": "starlette",
"Identifier": {
"PURL": "pkg:pypi/starlette@0.45.3",
"UID": "af907083791be28f"
},
"Version": "0.45.3",
"Locations": [
{
"StartLine": 32,
"EndLine": 32
}
],
"AnalyzedBy": "pip"
},
{
"Name": "typer",
"Identifier": {
"PURL": "pkg:pypi/typer@0.15.1",
"UID": "a6c21cf6638df8ba"
},
"Version": "0.15.1",
"Locations": [
{
"StartLine": 33,
"EndLine": 33
}
],
"AnalyzedBy": "pip"
},
{
"Name": "typing_extensions",
"Identifier": {
"PURL": "pkg:pypi/typing-extensions@4.12.2",
"UID": "428e980831435b6b"
},
"Version": "4.12.2",
"Locations": [
{
"StartLine": 34,
"EndLine": 34
}
],
"AnalyzedBy": "pip"
},
{
"Name": "ujson",
"Identifier": {
"PURL": "pkg:pypi/ujson@5.10.0",
"UID": "e14577f2b75f6adb"
},
"Version": "5.10.0",
"Locations": [
{
"StartLine": 35,
"EndLine": 35
}
],
"AnalyzedBy": "pip"
},
{
"Name": "uvicorn",
"Identifier": {
"PURL": "pkg:pypi/uvicorn@0.34.0",
"UID": "26c5e8724061bc22"
},
"Version": "0.34.0",
"Locations": [
{
"StartLine": 36,
"EndLine": 36
}
],
"AnalyzedBy": "pip"
},
{
"Name": "uvloop",
"Identifier": {
"PURL": "pkg:pypi/uvloop@0.21.0",
"UID": "e81c6d52dead02bd"
},
"Version": "0.21.0",
"Locations": [
{
"StartLine": 37,
"EndLine": 37
}
],
"AnalyzedBy": "pip"
},
{
"Name": "watchfiles",
"Identifier": {
"PURL": "pkg:pypi/watchfiles@1.0.4",
"UID": "f9f5beda0ae55d09"
},
"Version": "1.0.4",
"Locations": [
{
"StartLine": 38,
"EndLine": 38
}
],
"AnalyzedBy": "pip"
},
{
"Name": "websockets",
"Identifier": {
"PURL": "pkg:pypi/websockets@15.0",
"UID": "cd14e2393bda03c1"
},
"Version": "15.0",
"Locations": [
{
"StartLine": 39,
"EndLine": 39
}
],
"AnalyzedBy": "pip"
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2025-27516",
"VendorIDs": [
"GHSA-cpwx-vrp4-4pq7"
],
"PkgName": "Jinja2",
"PkgIdentifier": {
"PURL": "pkg:pypi/jinja2@3.1.5",
"UID": "94e7ca9e0915135b"
},
"InstalledVersion": "3.1.5",
"FixedVersion": "3.1.6",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-27516",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:3f4af130453f77f0de2edfc83880d8c5c64f522da58defa47d071243a0f08fd6",
"Title": "jinja2: Jinja sandbox breakout through attr filter selecting format method",
"Description": "Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-1336"
],
"VendorSeverity": {
"alma": 3,
"amazon": 3,
"azure": 2,
"cbl-mariner": 2,
"ghsa": 2,
"nvd": 3,
"oracle-oval": 3,
"photon": 3,
"redhat": 3,
"rocky": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V40Vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"V40Score": 5.4
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"V3Score": 8.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"V3Score": 7.3
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2025:3406",
"https://access.redhat.com/security/cve/CVE-2025-27516",
"https://bugzilla.redhat.com/2350190",
"https://bugzilla.redhat.com/show_bug.cgi?id=2350190",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27516",
"https://errata.almalinux.org/9/ALSA-2025-3406.html",
"https://errata.rockylinux.org/RLSA-2025:3406",
"https://github.com/pallets/jinja",
"https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403",
"https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7",
"https://linux.oracle.com/cve/CVE-2025-27516.html",
"https://linux.oracle.com/errata/ELSA-2025-7476.html",
"https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html",
"https://lists.debian.org/debian-lts-announce/2025/04/msg00045.html",
"https://nvd.nist.gov/vuln/detail/CVE-2025-27516",
"https://ubuntu.com/security/notices/USN-7343-1",
"https://www.cve.org/CVERecord?id=CVE-2025-27516"
],
"PublishedDate": "2025-03-05T21:15:20.073Z",
"LastModifiedDate": "2025-11-03T20:18:02.203Z"
},
{
"VulnerabilityID": "CVE-2025-43859",
"VendorIDs": [
"GHSA-vqfr-h8mv-ghfj"
],
"PkgName": "h11",
"PkgIdentifier": {
"PURL": "pkg:pypi/h11@0.14.0",
"UID": "80d2cac810fa3b4e"
},
"InstalledVersion": "0.14.0",
"FixedVersion": "0.16.0",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-43859",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:9095f5954848dd730ee4ca44f552238121cf828c860c0fe482436f3644a6bc59",
"Title": "h11: h11 accepts some malformed Chunked-Encoding bodies",
"Description": "h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-444"
],
"VendorSeverity": {
"ghsa": 4,
"redhat": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 9.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.4
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-43859",
"https://github.com/python-hyper/h11",
"https://github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed",
"https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj",
"https://nvd.nist.gov/vuln/detail/CVE-2025-43859",
"https://ubuntu.com/security/notices/USN-7503-1",
"https://www.cve.org/CVERecord?id=CVE-2025-43859"
],
"PublishedDate": "2025-04-24T19:15:47.06Z",
"LastModifiedDate": "2025-04-29T13:52:28.49Z"
},
{
"VulnerabilityID": "CVE-2025-67221",
"VendorIDs": [
"GHSA-hx9q-6w63-j58v"
],
"PkgName": "orjson",
"PkgIdentifier": {
"PURL": "pkg:pypi/orjson@3.10.15",
"UID": "297d4913f6a6ac7e"
},
"InstalledVersion": "3.10.15",
"Status": "affected",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-67221",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:f5871bf3eb1173c1544e1999e8c6871ffb5a7abb4e80c1113e496db4e349370a",
"Title": "orjson: orjson: Denial of Service due to unbounded recursion with deeply nested JSON documents",
"Description": "The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-770"
],
"VendorSeverity": {
"ghsa": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"V40Score": 5.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 5.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-67221",
"https://github.com/ijl/orjson",
"https://github.com/ijl/orjson/issues/620",
"https://github.com/kpatsakis/CVE-2025-67221/issues/1",
"https://github.com/kpatsakis/orjson_vulnerability",
"https://nvd.nist.gov/vuln/detail/CVE-2025-67221",
"https://www.cve.org/CVERecord?id=CVE-2025-67221"
],
"PublishedDate": "2026-01-22T17:16:01.433Z",
"LastModifiedDate": "2026-02-12T15:03:09.79Z"
},
{
"VulnerabilityID": "CVE-2026-24486",
"VendorIDs": [
"GHSA-wp53-j4wj-2cfg"
],
"PkgName": "python-multipart",
"PkgIdentifier": {
"PURL": "pkg:pypi/python-multipart@0.0.20",
"UID": "b7313b19666f5d04"
},
"InstalledVersion": "0.0.20",
"FixedVersion": "0.0.22",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-24486",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:ed5cfd41c6f31e6e431a666fb1212f7695931854dfb789bdc8c5124126ce0f21",
"Title": "python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability",
"Description": "Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.",
"Severity": "HIGH",
"CweIDs": [
"CWE-22"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3,
"ubuntu": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"V3Score": 8.6
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"V3Score": 8.6
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2026-24486",
"https://github.com/Kludex/python-multipart",
"https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4",
"https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 (0.0.22)",
"https://github.com/Kludex/python-multipart/releases/tag/0.0.22",
"https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg",
"https://nvd.nist.gov/vuln/detail/CVE-2026-24486",
"https://ubuntu.com/security/notices/USN-8027-1",
"https://www.cve.org/CVERecord?id=CVE-2026-24486"
],
"PublishedDate": "2026-01-27T01:16:02.303Z",
"LastModifiedDate": "2026-02-17T20:44:50.21Z"
},
{
"VulnerabilityID": "CVE-2025-62727",
"VendorIDs": [
"GHSA-7f5h-v6xp-fcq8"
],
"PkgName": "starlette",
"PkgIdentifier": {
"PURL": "pkg:pypi/starlette@0.45.3",
"UID": "af907083791be28f"
},
"InstalledVersion": "0.45.3",
"FixedVersion": "0.49.1",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-62727",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:769993a2b0c98606a9f93d3a34024ba251ef2710df1c5640dfcbbb1c58f3734b",
"Title": "starlette: Starlette DoS via Range header merging",
"Description": "Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial\u2011of\u2011service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.",
"Severity": "HIGH",
"CweIDs": [
"CWE-407"
],
"VendorSeverity": {
"ghsa": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-62727",
"https://github.com/Kludex/starlette",
"https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5",
"https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c",
"https://github.com/Kludex/starlette/releases/tag/0.49.1",
"https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8",
"https://nvd.nist.gov/vuln/detail/CVE-2025-62727",
"https://www.cve.org/CVERecord?id=CVE-2025-62727"
],
"PublishedDate": "2025-10-28T21:15:40.447Z",
"LastModifiedDate": "2025-11-04T18:16:45.48Z"
},
{
"VulnerabilityID": "CVE-2025-54121",
"VendorIDs": [
"GHSA-2c2j-9gv5-cj73"
],
"PkgName": "starlette",
"PkgIdentifier": {
"PURL": "pkg:pypi/starlette@0.45.3",
"UID": "af907083791be28f"
},
"InstalledVersion": "0.45.3",
"FixedVersion": "0.47.2",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-54121",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:99722ceaf642cf760be7ec7ed4aac3011e18b2caf8b4566c4b62651b87bd4c0a",
"Title": "starlette: Starlette denial-of-service",
"Description": "Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-770"
],
"VendorSeverity": {
"ghsa": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-54121",
"https://github.com/encode/starlette",
"https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14",
"https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1",
"https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403",
"https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73",
"https://nvd.nist.gov/vuln/detail/CVE-2025-54121",
"https://www.cve.org/CVERecord?id=CVE-2025-54121"
],
"PublishedDate": "2025-07-21T20:15:41.827Z",
"LastModifiedDate": "2025-07-22T13:05:40.573Z"
}
]
},
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Failures": 1
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS-0029",
"Title": "'apt-get' missing '--no-install-recommends'",
"Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.",
"Message": "'--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y ffmpeg && rm -rf /var/lib/apt/lists/*'",
"Namespace": "builtin.dockerfile.DS029",
"Query": "data.builtin.dockerfile.DS029.deny",
"Resolution": "Add '--no-install-recommends' flag to 'apt-get'",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0029",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds-0029"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 5,
"EndLine": 7,
"Code": {
"Lines": [
{
"Number": 5,
"Content": "RUN apt-get update && apt-get install -y \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update \u001b[38;5;245m&&\u001b[0m apt-get install -y \u001b[38;5;124m\\",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " ffmpeg \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m ffmpeg \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " && rm -rf /var/lib/apt/lists/*",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m rm -rf /var/lib/apt/lists/*",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
]
}