rustpython-pylib-0.4.0.crate: 28 vulnerabilities (highest severity is: 9.8) #1198
Description
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (rustpython-pylib version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2007-4559 |  Critical |
9.8 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2025-4517 | Critical |
9.4 | rustpython-pylib-0.4.0.crate | Direct | https://github.com/python/cpython.git - v3.11.13 | ❌ |
| CVE-2024-9287 |  High |
7.8 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2018-20225 | High |
7.8 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2025-8194 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2025-4435 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | https://github.com/python/cpython.git - v3.11.13 | ❌ |
| CVE-2025-4330 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | https://github.com/python/cpython.git - v3.9.23 | ❌ |
| CVE-2025-4138 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | https://github.com/python/cpython.git - v3.9.23 | ❌ |
| CVE-2024-7592 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | Replace or update the following files: v3.8.20, v3.9.20, v3.10.15, v3.11.10, v3.12.6 | ❌ |
| CVE-2024-6232 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | v3.8.20,v3.9.20,v3.10.15,v3.11.10,v3.12.6 | ❌ |
| CVE-2024-4032 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | v3.8.20,v3.9.20,v3.10.15,v3.11.10,v3.12.4,v3.13.0a6 | ❌ |
| CVE-2024-12254 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2023-24329 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | v3.7.17,v3.8.17,v3.9.17,v3.10.12,v3.11.4 | ❌ |
| CVE-2019-16056 | High |
7.5 | rustpython-pylib-0.4.0.crate | Direct | v3.5.8,v3.6.10,v3.7.5 | ❌ |
| CVE-2021-28861 | High |
7.4 | rustpython-pylib-0.4.0.crate | Direct | v3.10.6 | ❌ |
| CVE-2023-43804 |  Medium |
5.9 | rustpython-pylib-0.4.0.crate | Direct | urllib3 - 1.26.17,2.0.6 | |
| ❌ | ||||||
| CVE-2021-3426 | Medium |
5.7 | rustpython-pylib-0.4.0.crate | Direct | v3.8.9,v3.9.3 | ❌ |
| CVE-2024-6923 | Medium |
5.5 | rustpython-pylib-0.4.0.crate | Direct | v3.8.20,v3.9.20,v3.10.15,v3.11.10,v3.12.5 | ❌ |
| CVE-2023-5752 | Medium |
5.5 | rustpython-pylib-0.4.0.crate | Direct | pip - 23.3 | ❌ |
| CVE-2024-3220 | Medium |
5.4 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2024-12718 | Medium |
5.3 | rustpython-pylib-0.4.0.crate | Direct | https://github.com/python/cpython.git - v3.12.11 | ❌ |
| CVE-2023-27043 | Medium |
5.3 | rustpython-pylib-0.4.0.crate | Direct | https://github.com/python/cpython.git - v3.13.0a3 | ❌ |
| CVE-2024-37891 | Medium |
4.4 | rustpython-pylib-0.4.0.crate | Direct | urllib3 - 1.26.19,2.2.2 | ❌ |
| CVE-2025-6069 | Medium |
4.3 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2025-0938 | Medium |
4.0 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2024-3219 | Medium |
4.0 | rustpython-pylib-0.4.0.crate | Direct | b252317956b7fc035bb3774ef6a177e227f9fc54 | ❌ |
| CVE-2024-11168 |  Low |
3.7 | rustpython-pylib-0.4.0.crate | Direct | N/A | ❌ |
| CVE-2025-1795 | Low |
3.1 | rustpython-pylib-0.4.0.crate | Direct | v3.11.9,v3.12.3,v3.13.0a5 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2007-4559
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
Publish Date: 2007-08-28
URL: CVE-2007-4559
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2025-4517
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data".
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.
Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.
Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-03
URL: CVE-2025-4517
CVSS 3 Score Details (9.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-4517
Release Date: 2025-06-03
Fix Resolution: https://github.com/python/cpython.git - v3.11.13
CVE-2024-9287
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
A vulnerability has been found in the CPython "venv" module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-10-22
URL: CVE-2024-9287
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2018-20225
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely Although being DISPUTED, Mend has considered this CVE as a valid report.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2020-05-08
URL: CVE-2018-20225
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2025-8194
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: import tarfile def _block_patched(self, count): if count < 0: # pragma: no cover raise tarfile.InvalidHeaderError("invalid offset") return _block_patched._orig_block(self, count) _block_patched._orig_block = tarfile.TarInfo._block tarfile.TarInfo._block = _block_patched
Publish Date: 2025-07-28
URL: CVE-2025-8194
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2025-4435
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.
Publish Date: 2025-06-03
URL: CVE-2025-4435
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-4435
Release Date: 2025-06-03
Fix Resolution: https://github.com/python/cpython.git - v3.11.13
CVE-2025-4330
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.
Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.
Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-03
URL: CVE-2025-4330
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-4330
Release Date: 2025-06-03
Fix Resolution: https://github.com/python/cpython.git - v3.9.23
CVE-2025-4138
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.
Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.
Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-03
URL: CVE-2025-4138
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-4138
Release Date: 2025-06-03
Fix Resolution: https://github.com/python/cpython.git - v3.9.23
CVE-2024-7592
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.
When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value.
Publish Date: 2024-08-19
URL: CVE-2024-7592
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Change files
Origin: https://www.cve.org/CVERecord?id=CVE-2024-7592
Release Date: 2024-09-10
Fix Resolution: Replace or update the following files: v3.8.20, v3.9.20, v3.10.15, v3.11.10, v3.12.6
CVE-2024-6232
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
There is a MEDIUM severity vulnerability affecting CPython.
Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-09-03
URL: CVE-2024-6232
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-6232
Release Date: 2024-09-03
Fix Resolution: v3.8.20,v3.9.20,v3.10.15,v3.11.10,v3.12.6
CVE-2024-4032
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.
CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.
Publish Date: 2024-06-17
URL: CVE-2024-4032
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: python/cpython#113179
Release Date: 2024-06-17
Fix Resolution: v3.8.20,v3.9.20,v3.10.15,v3.11.10,v3.12.4,v3.13.0a6
CVE-2024-12254
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines()
method would not "pause" writing and signal to the Protocol to drain
the buffer to the wire once the write buffer reached the "high-water
mark". Because of this, Protocols would not periodically drain the write
buffer potentially leading to memory exhaustion.
This
vulnerability likely impacts a small number of users, you must be using
Python 3.12.0 or later, on macOS or Linux, using the asyncio module
with protocols, and using .writelines() method which had new
zero-copy-on-write behavior in Python 3.12.0 and later. If not all of
these factors are true then your usage of Python is unaffected.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-06
URL: CVE-2024-12254
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2023-24329
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
Publish Date: 2023-02-17
URL: CVE-2023-24329
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-24329
Release Date: 2023-02-17
Fix Resolution: v3.7.17,v3.8.17,v3.9.17,v3.10.12,v3.11.4
CVE-2019-16056
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
Publish Date: 2019-09-06
URL: CVE-2019-16056
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16056
Release Date: 2019-09-06
Fix Resolution: v3.5.8,v3.6.10,v3.7.5
CVE-2021-28861
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks." After conducting further research, Mend has determined that all versions of cpython up to version 3.10.6 are vulnerable to CVE-2021-28861.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-08-23
URL: CVE-2021-28861
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: python/cpython#24848
Release Date: 2022-08-23
Fix Resolution: v3.10.6
CVE-2023-43804
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-10-04
URL: CVE-2023-43804
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43804
Release Date: 2023-10-04
Fix Resolution: urllib3 - 1.26.17,2.0.6
CVE-2021-3426
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.
Publish Date: 2021-05-20
URL: CVE-2021-3426
CVSS 3 Score Details (5.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://bugs.python.org/issue42988
Release Date: 2021-05-20
Fix Resolution: v3.8.9,v3.9.3
CVE-2024-6923
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
There is a MEDIUM severity vulnerability affecting CPython.
The
email module didn’t properly quote newlines for email headers when
serializing an email message allowing for header injection when an email
is serialized.
Publish Date: 2024-08-01
URL: CVE-2024-6923
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: python/cpython#122233
Release Date: 2024-08-01
Fix Resolution: v3.8.20,v3.9.20,v3.10.15,v3.11.10,v3.12.5
CVE-2023-5752
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone"
call (ie "--config"). Controlling the Mercurial configuration can modify
how and which repository is installed. This vulnerability does not
affect users who aren't installing from Mercurial.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-10-24
URL: CVE-2023-5752
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-5752
Release Date: 2023-10-24
Fix Resolution: pip - 23.3
CVE-2024-3220
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type.
Publish Date: 2025-02-14
URL: CVE-2024-3220
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
CVE-2024-12718
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory.
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.
Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.
Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-03
URL: CVE-2024-12718
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-12718
Release Date: 2025-06-03
Fix Resolution: https://github.com/python/cpython.git - v3.12.11
CVE-2023-27043
Vulnerable Library - rustpython-pylib-0.4.0.crate
A subset of the Python standard library for use with RustPython
Library home page: https://static.crates.io/crates/rustpython-pylib/rustpython-pylib-0.4.0.crate
Path to dependency file: /pdl-live-react/src-tauri/Cargo.toml
Path to vulnerable library: /pdl-live-react/src-tauri/Cargo.toml
Dependency Hierarchy:
- ❌ rustpython-pylib-0.4.0.crate (Vulnerable Library)
Found in HEAD commit: 53fa08e4030761943754a7fcf042a803825314d8
Found in base branch: main
Vulnerability Details
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.
Publish Date: 2023-04-18
URL: CVE-2023-27043
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html
Release Date: 2023-04-18
Fix Resolution: https://github.com/python/cpython.git - v3.13.0a3