streamlit-1.40.1-py2.py3-none-any.whl: 13 vulnerabilities (highest severity is: 8.8) #42
Description
Vulnerable Library - streamlit-1.40.1-py2.py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /default/dockerbuild/attic/ui/requirements.txt
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (streamlit version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-27516 |  High |
8.8 | jinja2-3.1.5-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2026-21441 | High |
8.6 | urllib3-2.2.3-py3-none-any.whl | Transitive | 1.40.2 | ❌ |
| CVE-2026-0994 | High |
8.6 | protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl | Transitive | 1.40.2 | ❌ |
| CVE-2025-66471 | High |
8.6 | urllib3-2.2.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-66418 | High |
8.6 | urllib3-2.2.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-67726 | High |
7.5 | tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Transitive | 1.40.2 | ❌ |
| CVE-2025-67725 | High |
7.5 | tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Transitive | 1.40.2 | ❌ |
| CVE-2025-47287 | High |
7.5 | tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Transitive | 1.40.2 | ❌ |
| CVE-2025-4565 | High |
7.5 | protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl | Transitive | 1.40.2 | ❌ |
| CVE-2025-67724 |  Medium |
5.4 | tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Transitive | 1.40.2 | ❌ |
| CVE-2025-50182 | Medium |
5.3 | urllib3-2.2.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-50181 | Medium |
5.3 | urllib3-2.2.3-py3-none-any.whl | Transitive | 1.40.2 | ❌ |
| CVE-2024-47081 | Medium |
5.3 | requests-2.32.3-py3-none-any.whl | Transitive | 1.40.2 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-27516
Vulnerable Library - jinja2-3.1.5-py3-none-any.whl
A very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/bd/0f/2ba5fbcd631e3e88689309dbe978c5769e883e4b84ebfe7da30b43275c5a/jinja2-3.1.5-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /default/dockerbuild/attic/ui/requirements.txt
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- altair-5.4.1-py3-none-any.whl
- ❌ jinja2-3.1.5-py3-none-any.whl (Vulnerable Library)
- altair-5.4.1-py3-none-any.whl
Found in base branch: main
Vulnerability Details
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
Publish Date: 2025-03-05
URL: CVE-2025-27516
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-05
Fix Resolution: 3.1.6
Step up your Open Source Security Game with Mend here
CVE-2026-21441
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
- requests-2.32.3-py3-none-any.whl
Found in base branch: main
Vulnerability Details
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP "Content-Encoding" header (e.g., "gzip", "deflate", "br", or "zstd"). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting "preload_content=False" when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when "preload_content=False". If upgrading is not immediately possible, disable redirects by setting "redirect=False" for requests to untrusted source.
Publish Date: 2026-01-07
URL: CVE-2026-21441
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-38jv-5279-wg99
Release Date: 2026-01-07
Fix Resolution (urllib3): 2.6.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2026-0994
Vulnerable Library - protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/a8/45/2ebbde52ad2be18d3675b6bee50e68cd73c9e0654de77d595540b5129df8/protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/protobuf-5.29.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Publish Date: 2026-01-23
URL: CVE-2026-0994
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-23
Fix Resolution (protobuf): 6.33.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-66471
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
- requests-2.32.3-py3-none-any.whl
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.
Publish Date: 2025-12-05
URL: CVE-2025-66471
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-2xpw-w6gg-jr37
Release Date: 2025-12-05
Fix Resolution: urllib3 - 2.6.0,https://github.com/urllib3/urllib3.git - 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2025-66418
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
- requests-2.32.3-py3-none-any.whl
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
Publish Date: 2025-12-05
URL: CVE-2025-66418
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-05
Fix Resolution: https://github.com/urllib3/urllib3.git - 2.6.0,urllib3 - 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2025-67726
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67726
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-67725
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67725
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-47287
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. When Tornado's "multipart/form-data" parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking "Content-Type: multipart/form-data" in a proxy.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-05-15
URL: CVE-2025-47287
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-7cx3-6m66-7c5m
Release Date: 2025-05-15
Fix Resolution (tornado): 6.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-4565
Vulnerable Library - protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
No project description provided
Library home page: https://files.pythonhosted.org/packages/a8/45/2ebbde52ad2be18d3675b6bee50e68cd73c9e0654de77d595540b5129df8/protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/protobuf-5.29.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
Publish Date: 2025-06-16
URL: CVE-2025-4565
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-16
Fix Resolution (protobuf): 5.29.5
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-67724
Vulnerable Library - tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/tornado-6.4.2.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.
Publish Date: 2025-12-12
URL: CVE-2025-67724
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution (tornado): 6.5.3
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2025-50182
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
- requests-2.32.3-py3-none-any.whl
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-19
URL: CVE-2025-50182
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution: urllib3 - 2.5.0,https://github.com/urllib3/urllib3.git - 2.5.0
Step up your Open Source Security Game with Mend here
CVE-2025-50181
Vulnerable Library - urllib3-2.2.3-py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/attic/ui/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/urllib3-2.2.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- requests-2.32.3-py3-none-any.whl
- ❌ urllib3-2.2.3-py3-none-any.whl (Vulnerable Library)
- requests-2.32.3-py3-none-any.whl
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
Publish Date: 2025-06-19
URL: CVE-2025-50181
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-19
Fix Resolution (urllib3): 2.5.0
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here
CVE-2024-47081
Vulnerable Library - requests-2.32.3-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl
Path to dependency file: /default/dockerbuild/react-ui/crud-app/backend/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019411/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019531/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019261/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019331/env/lib/python3.8/site-packages/requests-2.32.3.dist-info,/tmp/ws-ua_20250115001842_FLMVYU/python_HMRKSI/202501150019151/env/lib/python3.8/site-packages/requests-2.32.3.dist-info
Dependency Hierarchy:
- streamlit-1.40.1-py2.py3-none-any.whl (Root Library)
- ❌ requests-2.32.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with "trust_env=False" on one's Requests Session.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-09
URL: CVE-2024-47081
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9hjg-9r4m-mvj7
Release Date: 2025-06-09
Fix Resolution (requests): 2.32.4
Direct dependency fix Resolution (streamlit): 1.40.2
Step up your Open Source Security Game with Mend here