dvp-2.1.0.tar.gz: 7 vulnerabilities (highest severity is: 8.8) - autoclosed #72
Description
Vulnerable Library - dvp-2.1.0.tar.gz
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /test/requirements.txt
Found in HEAD commit: 3eb8f2dabb4ed00463d6d386390c0f1b37836038
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (dvp version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-47273 |  High |
8.8 | setuptools-75.3.0-py3-none-any.whl | Transitive | 3.0.0 | ✅ |
| CVE-2025-4565 | High |
7.5 | protobuf-3.6.1-py2.py3-none-any.whl | Transitive | 3.0.0 | ✅ |
| CVE-2022-1941 | High |
7.5 | protobuf-3.6.1-py2.py3-none-any.whl | Transitive | 5.0.0 | ✅ |
| CVE-2025-27516 | High |
7.3 | jinja2-3.1.5-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-50182 |  Medium |
5.3 | urllib3-2.2.3-py3-none-any.whl | Transitive | 3.0.0 | ✅ |
| CVE-2025-50181 | Medium |
5.3 | urllib3-2.2.3-py3-none-any.whl | Transitive | 3.0.0 | ✅ |
| CVE-2024-47081 | Medium |
5.3 | requests-2.32.3-py3-none-any.whl | Transitive | 3.0.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-47273
Vulnerable Library - setuptools-75.3.0-py3-none-any.whl
Easily download, build, install, upgrade, and uninstall Python packages
Library home page: https://files.pythonhosted.org/packages/90/12/282ee9bce8b58130cb762fbc9beabd531549952cac11fc56add11dcb7ea0/setuptools-75.3.0-py3-none-any.whl
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130115351_JQMQQS/python_WWSMLY/202501301153531/env/lib/python3.8/site-packages/setuptools-75.3.0.dist-info
Dependency Hierarchy:
- dvp-2.1.0.tar.gz (Root Library)
- dvp-common-2.1.0.tar.gz
- dvp-api-1.3.0.tar.gz
- protobuf-3.6.1-py2.py3-none-any.whl
- ❌ setuptools-75.3.0-py3-none-any.whl (Vulnerable Library)
- protobuf-3.6.1-py2.py3-none-any.whl
- dvp-api-1.3.0.tar.gz
- dvp-common-2.1.0.tar.gz
Found in HEAD commit: 3eb8f2dabb4ed00463d6d386390c0f1b37836038
Found in base branch: master
Vulnerability Details
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in "PackageIndex" is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-05-17
URL: CVE-2025-47273
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5rjg-fvgr-3xxf
Release Date: 2025-05-17
Fix Resolution (setuptools): 78.1.1
Direct dependency fix Resolution (dvp): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-4565
Vulnerable Library - protobuf-3.6.1-py2.py3-none-any.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/77/78/a7f1ce761e2c738e209857175cd4f90a8562d1bde32868a8cd5290d58926/protobuf-3.6.1-py2.py3-none-any.whl
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130115351_JQMQQS/python_WWSMLY/202501301153531/env/lib/python3.8/site-packages/protobuf-3.6.1.dist-info
Dependency Hierarchy:
- dvp-2.1.0.tar.gz (Root Library)
- dvp-common-2.1.0.tar.gz
- dvp-api-1.3.0.tar.gz
- ❌ protobuf-3.6.1-py2.py3-none-any.whl (Vulnerable Library)
- dvp-api-1.3.0.tar.gz
- dvp-common-2.1.0.tar.gz
Found in HEAD commit: 3eb8f2dabb4ed00463d6d386390c0f1b37836038
Found in base branch: master
Vulnerability Details
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
Publish Date: 2025-06-16
URL: CVE-2025-4565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-16
Fix Resolution (protobuf): 6.31.1
Direct dependency fix Resolution (dvp): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-1941
Vulnerable Library - protobuf-3.6.1-py2.py3-none-any.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/77/78/a7f1ce761e2c738e209857175cd4f90a8562d1bde32868a8cd5290d58926/protobuf-3.6.1-py2.py3-none-any.whl
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130115351_JQMQQS/python_WWSMLY/202501301153531/env/lib/python3.8/site-packages/protobuf-3.6.1.dist-info
Dependency Hierarchy:
- dvp-2.1.0.tar.gz (Root Library)
- dvp-common-2.1.0.tar.gz
- dvp-api-1.3.0.tar.gz
- ❌ protobuf-3.6.1-py2.py3-none-any.whl (Vulnerable Library)
- dvp-api-1.3.0.tar.gz
- dvp-common-2.1.0.tar.gz
Found in HEAD commit: 3eb8f2dabb4ed00463d6d386390c0f1b37836038
Found in base branch: master
Vulnerability Details
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Publish Date: 2022-09-22
URL: CVE-2022-1941
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-8gq9-2x98-w8hf
Release Date: 2022-09-22
Fix Resolution (protobuf): 3.18.3
Direct dependency fix Resolution (dvp): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-27516
Vulnerable Library - jinja2-3.1.5-py3-none-any.whl
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bd/0f/2ba5fbcd631e3e88689309dbe978c5769e883e4b84ebfe7da30b43275c5a/jinja2-3.1.5-py3-none-any.whl
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /test/requirements.txt
Dependency Hierarchy:
- dvp-2.1.0.tar.gz (Root Library)
- dvp-tools-2.1.0.tar.gz
- ❌ jinja2-3.1.5-py3-none-any.whl (Vulnerable Library)
- dvp-tools-2.1.0.tar.gz
Found in HEAD commit: 3eb8f2dabb4ed00463d6d386390c0f1b37836038
Found in base branch: master
Vulnerability Details
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
Publish Date: 2025-03-05
URL: CVE-2025-27516
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-05
Fix Resolution: 3.1.6
CVE-2025-50182
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130115351_JQMQQS/python_WWSMLY/202501301153531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- dvp-2.1.0.tar.gz (Root Library)
- dvp-tools-2.1.0.tar.gz
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
- requests-2.32.3-py3-none-any.whl
- dvp-tools-2.1.0.tar.gz
Found in HEAD commit: 3eb8f2dabb4ed00463d6d386390c0f1b37836038
Found in base branch: master
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
Publish Date: 2025-06-19
URL: CVE-2025-50182
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution (urllib3): 2.5.0
Direct dependency fix Resolution (dvp): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-50181
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130115351_JQMQQS/python_WWSMLY/202501301153531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- dvp-2.1.0.tar.gz (Root Library)
- dvp-tools-2.1.0.tar.gz
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
- requests-2.32.3-py3-none-any.whl
- dvp-tools-2.1.0.tar.gz
Found in HEAD commit: 3eb8f2dabb4ed00463d6d386390c0f1b37836038
Found in base branch: master
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
Publish Date: 2025-06-19
URL: CVE-2025-50181
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution (urllib3): 2.5.0
Direct dependency fix Resolution (dvp): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-47081
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /test/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250130115351_JQMQQS/python_WWSMLY/202501301153531/env/lib/python3.8/site-packages/requests-2.32.3.dist-info
Dependency Hierarchy:
- dvp-2.1.0.tar.gz (Root Library)
- dvp-tools-2.1.0.tar.gz
- ❌ requests-2.32.3-py3-none-any.whl (Vulnerable Library)
- dvp-tools-2.1.0.tar.gz
Found in HEAD commit: 3eb8f2dabb4ed00463d6d386390c0f1b37836038
Found in base branch: master
Vulnerability Details
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2024-47081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9hjg-9r4m-mvj7
Release Date: 2025-06-09
Fix Resolution (requests): 2.32.4
Direct dependency fix Resolution (dvp): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.