Vulnerable Library - streamlit-1.40.1-py2.py3-none-any.whl
A faster way to build and share data apps
Library home page: https://files.pythonhosted.org/packages/9a/14/857d0734989f3d26f2f965b2e3f67568ea7a6e8a60cb9c1ed7f774b6d606/streamlit-1.40.1-py2.py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/streamlit-1.40.1.dist-info
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (streamlit version) |
Remediation Possible** |
| CVE-2026-25990 |
 Critical |
9.8 |
pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl |
Transitive |
1.51.0 |
❌ |
| CVE-2026-21441 |
 High |
8.6 |
urllib3-2.2.3-py3-none-any.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2026-0994 |
High |
8.6 |
protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl |
Transitive |
N/A* |
❌ |
| CVE-2025-66471 |
High |
8.6 |
urllib3-2.2.3-py3-none-any.whl |
Transitive |
N/A* |
❌ |
| CVE-2025-66418 |
High |
8.6 |
urllib3-2.2.3-py3-none-any.whl |
Transitive |
N/A* |
❌ |
| CVE-2026-40192 |
High |
7.5 |
pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl |
Transitive |
N/A* |
❌ |
| CVE-2026-31958 |
High |
7.5 |
tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2025-67726 |
High |
7.5 |
tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2025-67725 |
High |
7.5 |
tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2025-47287 |
High |
7.5 |
tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2025-4565 |
High |
7.5 |
protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2025-27516 |
High |
7.3 |
jinja2-3.1.5-py3-none-any.whl |
Transitive |
N/A* |
❌ |
| CVE-2026-35536 |
High |
7.2 |
tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2025-67724 |
 Medium |
5.4 |
tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2025-50182 |
Medium |
5.3 |
urllib3-2.2.3-py3-none-any.whl |
Transitive |
N/A* |
❌ |
| CVE-2025-50181 |
Medium |
5.3 |
urllib3-2.2.3-py3-none-any.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2024-47081 |
Medium |
5.3 |
requests-2.32.3-py3-none-any.whl |
Transitive |
1.40.2 |
❌ |
| CVE-2026-33682 |
Medium |
4.7 |
streamlit-1.40.1-py2.py3-none-any.whl |
Direct |
https://github.com/streamlit/streamlit.git - 1.54.0 |
❌ |
| CVE-2026-25645 |
Medium |
4.4 |
requests-2.32.3-py3-none-any.whl |
Transitive |
N/A* |
❌ |
| CVE-2026-4539 |
 Low |
3.3 |
pygments-2.19.1-py3-none-any.whl |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-25990
Vulnerable Library - pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/fb/ad/435fe29865f98a8fbdc64add8875a6e4f8c97749a93577a8919ec6f32c64/pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/pillow-10.4.0.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Publish Date: 2026-02-11
URL: CVE-2026-25990
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cfh3-3jmp-rvhc
Release Date: 2026-02-11
Fix Resolution (pillow): 12.1.1
Direct dependency fix Resolution (streamlit): 1.51.0
Step up your Open Source Security Game with Mend here
CVE-2026-21441
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP "Content-Encoding" header (e.g., "gzip", "deflate", "br", or "zstd"). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting "preload_content=False" when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when "preload_content=False". If upgrading is not immediately possible, disable redirects by setting "redirect=False" for requests to untrusted source.
Publish Date: 2026-01-07
URL: CVE-2026-21441
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-38jv-5279-wg99
Release Date: 2026-01-07
Fix Resolution (urllib3): 2.6.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2026-0994
Vulnerable Library - protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/a8/45/2ebbde52ad2be18d3675b6bee50e68cd73c9e0654de77d595540b5129df8/protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/protobuf-5.29.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Publish Date: 2026-01-23
URL: CVE-2026-0994
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-23
Fix Resolution: protobuf - 6.33.5,https://github.com/protocolbuffers/protobuf.git - v33.5,https://github.com/protocolbuffers/protobuf.git - v5.29.6,https://github.com/protocolbuffers/protobuf.git - v29.6,https://github.com/protocolbuffers/protobuf.git - v3.29.6-objectivec
Step up your Open Source Security Game with Mend here
CVE-2025-66471
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.
Publish Date: 2025-12-05
URL: CVE-2025-66471
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2xpw-w6gg-jr37
Release Date: 2025-12-05
Fix Resolution: urllib3 - 2.6.0,https://github.com/urllib3/urllib3.git - 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2025-66418
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
Publish Date: 2025-12-05
URL: CVE-2025-66418
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-05
Fix Resolution: https://github.com/urllib3/urllib3.git - 2.6.0,urllib3 - 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2026-40192
Vulnerable Library - pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/fb/ad/435fe29865f98a8fbdc64add8875a6e4f8c97749a93577a8919ec6f32c64/pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/pillow-10.4.0.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Publish Date: 2026-04-15
URL: CVE-2026-40192
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5xc4v2j
Release Date: 2026-04-13
Fix Resolution: https://github.com/python-pillow/Pillow.git - 12.2.0
Step up your Open Source Security Game with Mend here
CVE-2026-31958
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
Publish Date: 2026-03-11
URL: CVE-2026-31958
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qjxf-f2mg-c6mc
Release Date: 2026-03-11
Fix Resolution (tornado): 6.5.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-67726
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67726
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-67725
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67725
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-47287
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. When Tornado's "multipart/form-data" parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking "Content-Type: multipart/form-data" in a proxy.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-05-15
URL: CVE-2025-47287
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7cx3-6m66-7c5m
Release Date: 2025-05-15
Fix Resolution (tornado): 6.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-4565
Vulnerable Library - protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/a8/45/2ebbde52ad2be18d3675b6bee50e68cd73c9e0654de77d595540b5129df8/protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/protobuf-5.29.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
Publish Date: 2025-06-16
URL: CVE-2025-4565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-16
Fix Resolution (protobuf): 5.29.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-27516
Vulnerable Library - jinja2-3.1.5-py3-none-any.whl
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bd/0f/2ba5fbcd631e3e88689309dbe978c5769e883e4b84ebfe7da30b43275c5a/jinja2-3.1.5-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /default/dockerbuild/attic/ui/requirements.txt
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- altair-5.4.1-py3-none-any.whl
- ❌ jinja2-3.1.5-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
Publish Date: 2025-03-05
URL: CVE-2025-27516
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-05
Fix Resolution: 3.1.6
Step up your Open Source Security Game with Mend here
CVE-2026-35536
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Publish Date: 2026-04-03
URL: CVE-2026-35536
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-78cv-mqj4-43f7
Release Date: 2026-04-03
Fix Resolution (tornado): 6.5.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-67724
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67724
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-50182
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-19
URL: CVE-2025-50182
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution: urllib3 - 2.5.0,https://github.com/urllib3/urllib3.git - 2.5.0
Step up your Open Source Security Game with Mend here
CVE-2025-50181
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
Publish Date: 2025-06-19
URL: CVE-2025-50181
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution (urllib3): 2.5.0
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2024-47081
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/requests-2.32.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ requests-2.32.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2024-47081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9hjg-9r4m-mvj7
Release Date: 2025-06-09
Fix Resolution (requests): 2.32.4
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2026-33682
Vulnerable Library - streamlit-1.40.1-py2.py3-none-any.whl
A faster way to build and share data apps
Library home page: https://files.pythonhosted.org/packages/9a/14/857d0734989f3d26f2f965b2e3f67568ea7a6e8a60cb9c1ed7f774b6d606/streamlit-1.40.1-py2.py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/streamlit-1.40.1.dist-info
Dependency Hierarchy:
- ❌ streamlit-1.40.1-py2.py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Streamlit is a data oriented application development framework for python. Streamlit Open Source versions prior to 1.54.0 running on Windows hosts have an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the "ComponentRequestHandler", filesystem paths are resolved using "os.path.realpath()" or "Path.resolve()" before sufficient validation occurs. On Windows systems, supplying a malicious UNC path (e.g., "\attacker-controlled-host\share") can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted. This behavior may allow an attacker to perform NTLM relay attacks against other internal services and/or identify internally reachable SMB hosts via timing analysis. The vulnerability has been fixed in Streamlit Open Source version 1.54.0.
Publish Date: 2026-03-26
URL: CVE-2026-33682
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/streamlit/streamlit.git - 1.54.0
Step up your Open Source Security Game with Mend here
CVE-2026-25645
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/requests-2.32.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ requests-2.32.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/psf/requests.git - v2.33.0
Step up your Open Source Security Game with Mend here
A faster way to build and share data apps
Library home page: https://files.pythonhosted.org/packages/9a/14/857d0734989f3d26f2f965b2e3f67568ea7a6e8a60cb9c1ed7f774b6d606/streamlit-1.40.1-py2.py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/streamlit-1.40.1.dist-info
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/fb/ad/435fe29865f98a8fbdc64add8875a6e4f8c97749a93577a8919ec6f32c64/pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/pillow-10.4.0.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Publish Date: 2026-02-11
URL: CVE-2026-25990
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cfh3-3jmp-rvhc
Release Date: 2026-02-11
Fix Resolution (pillow): 12.1.1
Direct dependency fix Resolution (streamlit): 1.51.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP "Content-Encoding" header (e.g., "gzip", "deflate", "br", or "zstd"). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting "preload_content=False" when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when "preload_content=False". If upgrading is not immediately possible, disable redirects by setting "redirect=False" for requests to untrusted source.
Publish Date: 2026-01-07
URL: CVE-2026-21441
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-38jv-5279-wg99
Release Date: 2026-01-07
Fix Resolution (urllib3): 2.6.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/a8/45/2ebbde52ad2be18d3675b6bee50e68cd73c9e0654de77d595540b5129df8/protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/protobuf-5.29.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Publish Date: 2026-01-23
URL: CVE-2026-0994
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-23
Fix Resolution: protobuf - 6.33.5,https://github.com/protocolbuffers/protobuf.git - v33.5,https://github.com/protocolbuffers/protobuf.git - v5.29.6,https://github.com/protocolbuffers/protobuf.git - v29.6,https://github.com/protocolbuffers/protobuf.git - v3.29.6-objectivec
Step up your Open Source Security Game with Mend here
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.
Publish Date: 2025-12-05
URL: CVE-2025-66471
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2xpw-w6gg-jr37
Release Date: 2025-12-05
Fix Resolution: urllib3 - 2.6.0,https://github.com/urllib3/urllib3.git - 2.6.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
Publish Date: 2025-12-05
URL: CVE-2025-66418
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-05
Fix Resolution: https://github.com/urllib3/urllib3.git - 2.6.0,urllib3 - 2.6.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl
Python Imaging Library (Fork)
Library home page: https://files.pythonhosted.org/packages/fb/ad/435fe29865f98a8fbdc64add8875a6e4f8c97749a93577a8919ec6f32c64/pillow-10.4.0-cp38-cp38-manylinux_2_28_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/pillow-10.4.0.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.
Publish Date: 2026-04-15
URL: CVE-2026-40192
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5xc4v2j
Release Date: 2026-04-13
Fix Resolution: https://github.com/python-pillow/Pillow.git - 12.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
Publish Date: 2026-03-11
URL: CVE-2026-31958
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qjxf-f2mg-c6mc
Release Date: 2026-03-11
Fix Resolution (tornado): 6.5.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67726
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67725
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. When Tornado's "multipart/form-data" parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking "Content-Type: multipart/form-data" in a proxy.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-05-15
URL: CVE-2025-47287
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7cx3-6m66-7c5m
Release Date: 2025-05-15
Fix Resolution (tornado): 6.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/a8/45/2ebbde52ad2be18d3675b6bee50e68cd73c9e0654de77d595540b5129df8/protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/protobuf-5.29.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
Publish Date: 2025-06-16
URL: CVE-2025-4565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-06-16
Fix Resolution (protobuf): 5.29.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - jinja2-3.1.5-py3-none-any.whl
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bd/0f/2ba5fbcd631e3e88689309dbe978c5769e883e4b84ebfe7da30b43275c5a/jinja2-3.1.5-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /default/dockerbuild/attic/ui/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
Publish Date: 2025-03-05
URL: CVE-2025-27516
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-03-05
Fix Resolution: 3.1.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Publish Date: 2026-04-03
URL: CVE-2026-35536
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-78cv-mqj4-43f7
Release Date: 2026-04-03
Fix Resolution (tornado): 6.5.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/22/55/b78a464de78051a30599ceb6983b01d8f732e6f69bf37b4ed07f642ac0fc/tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67724
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-19
URL: CVE-2025-50182
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution: urllib3 - 2.5.0,https://github.com/urllib3/urllib3.git - 2.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
Publish Date: 2025-06-19
URL: CVE-2025-50181
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution (urllib3): 2.5.0
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/requests-2.32.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2024-47081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9hjg-9r4m-mvj7
Release Date: 2025-06-09
Fix Resolution (requests): 2.32.4
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - streamlit-1.40.1-py2.py3-none-any.whl
A faster way to build and share data apps
Library home page: https://files.pythonhosted.org/packages/9a/14/857d0734989f3d26f2f965b2e3f67568ea7a6e8a60cb9c1ed7f774b6d606/streamlit-1.40.1-py2.py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/streamlit-1.40.1.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Streamlit is a data oriented application development framework for python. Streamlit Open Source versions prior to 1.54.0 running on Windows hosts have an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the "ComponentRequestHandler", filesystem paths are resolved using "os.path.realpath()" or "Path.resolve()" before sufficient validation occurs. On Windows systems, supplying a malicious UNC path (e.g., "\attacker-controlled-host\share") can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted. This behavior may allow an attacker to perform NTLM relay attacks against other internal services and/or identify internally reachable SMB hosts via timing analysis. The vulnerability has been fixed in Streamlit Open Source version 1.54.0.
Publish Date: 2026-03-26
URL: CVE-2026-33682
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/streamlit/streamlit.git - 1.54.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/requests-2.32.3.dist-info
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/psf/requests.git - v2.33.0
Step up your Open Source Security Game with Mend here