Critical
High
Medium
Low
Secrets
Misconfig
| Severity | CVE ID | Package | Installed | Fixed In | Description |
|---|---|---|---|---|---|
| HIGH | CVE-2025-62727 | starlette | 0.46.2 | 0.49.1 | starlette: Starlette DoS via Range header merging |
| MEDIUM | CVE-2025-54121 | starlette | 0.46.2 | 0.47.2 | starlette: Starlette denial-of-service |
| Type | File | Line | Match |
|---|---|---|---|
| ✅ No secrets found | |||
| Severity | ID | Check | File | Message |
|---|---|---|---|---|
| HIGH | DS-0029 | 'apt-get' missing '--no-install-recommends' | Dockerfile | '--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y ffmpeg && rm |
{
"SchemaVersion": 2,
"Trivy": {
"Version": "0.69.0"
},
"ReportID": "019ce5fa-55a3-71d2-83bf-f9cff9624488",
"CreatedAt": "2026-03-13T06:55:14.339120041Z",
"ArtifactID": "sha256:8917d6ad09fba99c02ef76b5e22d3b45aa3a89c15c5bfd6b1bf22beedc2c66b2",
"ArtifactName": "/src",
"ArtifactType": "repository",
"Metadata": {
"RepoURL": "https://github.com/eizen-ai/eizen-linkedin-service.git",
"Branch": "code-refactor-v1",
"Commit": "debb66e43ad839570882ec9bc6c4a6525013ac0d",
"CommitMsg": "vulnerability-issues-fixed",
"Author": "eizen-prasad <prasad.ayithireddi@eizen.ai>",
"Committer": "eizen-prasad <prasad.ayithireddi@eizen.ai>"
},
"Results": [
{
"Target": "requirements.txt",
"Class": "lang-pkgs",
"Type": "pip",
"Packages": [
{
"Name": "Jinja2",
"Identifier": {
"PURL": "pkg:pypi/jinja2@3.1.6",
"UID": "53f847472bad5efc"
},
"Version": "3.1.6",
"Locations": [
{
"StartLine": 11,
"EndLine": 11
}
],
"AnalyzedBy": "pip"
},
{
"Name": "boto3",
"Identifier": {
"PURL": "pkg:pypi/boto3@1.42.67",
"UID": "38f2af9d89180b15"
},
"Version": "1.42.67",
"Locations": [
{
"StartLine": 14,
"EndLine": 14
}
],
"AnalyzedBy": "pip"
},
{
"Name": "fastapi",
"Identifier": {
"PURL": "pkg:pypi/fastapi@0.115.14",
"UID": "6c69fab22f70f3c1"
},
"Version": "0.115.14",
"Locations": [
{
"StartLine": 2,
"EndLine": 2
}
],
"AnalyzedBy": "pip"
},
{
"Name": "h11",
"Identifier": {
"PURL": "pkg:pypi/h11@0.16.0",
"UID": "8f1b32c085b72673"
},
"Version": "0.16.0",
"Locations": [
{
"StartLine": 10,
"EndLine": 10
}
],
"AnalyzedBy": "pip"
},
{
"Name": "httpx",
"Identifier": {
"PURL": "pkg:pypi/httpx@0.28.1",
"UID": "3eda393f775ab9a"
},
"Version": "0.28.1",
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"AnalyzedBy": "pip"
},
{
"Name": "loguru",
"Identifier": {
"PURL": "pkg:pypi/loguru@0.7.3",
"UID": "220b91f308381d64"
},
"Version": "0.7.3",
"Locations": [
{
"StartLine": 15,
"EndLine": 15
}
],
"AnalyzedBy": "pip"
},
{
"Name": "python-dotenv",
"Identifier": {
"PURL": "pkg:pypi/python-dotenv@1.0.1",
"UID": "af1b93dff8860c83"
},
"Version": "1.0.1",
"Locations": [
{
"StartLine": 5,
"EndLine": 5
}
],
"AnalyzedBy": "pip"
},
{
"Name": "python-multipart",
"Identifier": {
"PURL": "pkg:pypi/python-multipart@0.0.22",
"UID": "239944eb3401fec4"
},
"Version": "0.0.22",
"Locations": [
{
"StartLine": 6,
"EndLine": 6
}
],
"AnalyzedBy": "pip"
},
{
"Name": "starlette",
"Identifier": {
"PURL": "pkg:pypi/starlette@0.46.2",
"UID": "3fbd9e9f7be80751"
},
"Version": "0.46.2",
"Locations": [
{
"StartLine": 9,
"EndLine": 9
}
],
"AnalyzedBy": "pip"
},
{
"Name": "uvicorn",
"Identifier": {
"PURL": "pkg:pypi/uvicorn@0.34.0",
"UID": "1506b744f3cfb005"
},
"Version": "0.34.0",
"Locations": [
{
"StartLine": 3,
"EndLine": 3
}
],
"AnalyzedBy": "pip"
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2025-62727",
"VendorIDs": [
"GHSA-7f5h-v6xp-fcq8"
],
"PkgName": "starlette",
"PkgIdentifier": {
"PURL": "pkg:pypi/starlette@0.46.2",
"UID": "3fbd9e9f7be80751"
},
"InstalledVersion": "0.46.2",
"FixedVersion": "0.49.1",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-62727",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:7105f4d655879aa695d08e307001b7508fe3d2146f5f461d82bf3b5f98122617",
"Title": "starlette: Starlette DoS via Range header merging",
"Description": "Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial\u2011of\u2011service for endpoints serving files (e.g., StaticFiles or any use of FileResponse). This vulnerability is fixed in 0.49.1.",
"Severity": "HIGH",
"CweIDs": [
"CWE-407"
],
"VendorSeverity": {
"ghsa": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-62727",
"https://github.com/Kludex/starlette",
"https://github.com/Kludex/starlette/commit/4ea6e22b489ec388d6004cfbca52dd5b147127c5",
"https://github.com/Kludex/starlette/commit/69ed26a85956ef4bd0161807eb27abf49be7cd3c",
"https://github.com/Kludex/starlette/releases/tag/0.49.1",
"https://github.com/Kludex/starlette/security/advisories/GHSA-7f5h-v6xp-fcq8",
"https://nvd.nist.gov/vuln/detail/CVE-2025-62727",
"https://www.cve.org/CVERecord?id=CVE-2025-62727"
],
"PublishedDate": "2025-10-28T21:15:40.447Z",
"LastModifiedDate": "2025-11-04T18:16:45.48Z"
},
{
"VulnerabilityID": "CVE-2025-54121",
"VendorIDs": [
"GHSA-2c2j-9gv5-cj73"
],
"PkgName": "starlette",
"PkgIdentifier": {
"PURL": "pkg:pypi/starlette@0.46.2",
"UID": "3fbd9e9f7be80751"
},
"InstalledVersion": "0.46.2",
"FixedVersion": "0.47.2",
"Status": "fixed",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-54121",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Fingerprint": "sha256:0caede8c15f7c927fa77955030185df31d577bed9629849bdcc729df7feaf516",
"Title": "starlette: Starlette denial-of-service",
"Description": "Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-770"
],
"VendorSeverity": {
"ghsa": 2,
"redhat": 2
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 5.3
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2025-54121",
"https://github.com/encode/starlette",
"https://github.com/encode/starlette/blob/fa5355442753f794965ae1af0f87f9fec1b9a3de/starlette/datastructures.py#L436C5-L447C14",
"https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1",
"https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403",
"https://github.com/encode/starlette/security/advisories/GHSA-2c2j-9gv5-cj73",
"https://nvd.nist.gov/vuln/detail/CVE-2025-54121",
"https://www.cve.org/CVERecord?id=CVE-2025-54121"
],
"PublishedDate": "2025-07-21T20:15:41.827Z",
"LastModifiedDate": "2025-07-22T13:05:40.573Z"
}
]
},
{
"Target": "Dockerfile",
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 23,
"Failures": 1
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "DS-0029",
"Title": "'apt-get' missing '--no-install-recommends'",
"Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.",
"Message": "'--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y ffmpeg && rm -rf /var/lib/apt/lists/*'",
"Namespace": "builtin.dockerfile.DS029",
"Query": "data.builtin.dockerfile.DS029.deny",
"Resolution": "Add '--no-install-recommends' flag to 'apt-get'",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ds-0029",
"References": [
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/misconfig/ds-0029"
],
"Status": "FAIL",
"CauseMetadata": {
"Provider": "Dockerfile",
"Service": "general",
"StartLine": 5,
"EndLine": 7,
"Code": {
"Lines": [
{
"Number": 5,
"Content": "RUN apt-get update && apt-get install -y \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update \u001b[38;5;245m&&\u001b[0m apt-get install -y \u001b[38;5;124m\\",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " ffmpeg \\",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m ffmpeg \u001b[38;5;124m\\",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " && rm -rf /var/lib/apt/lists/*",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;245m&&\u001b[0m rm -rf /var/lib/apt/lists/*",
"FirstCause": false,
"LastCause": true
}
]
}
}
}
]
}
]
}