Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via the cookies parameter, which is processed by connectandsendrequest in client.py. An attacker who can control a redirect on a request that passes cookies on a per-request basis can expose data from those...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure over the /static endpoint. An attacker can determine the existence of internal path components by sending requests to probe for absolute path elements. Remediation Upgrade aiohttp to version 3.13.3 or higher...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the parsing of Range headers. An attacker can potentially interfere with HTTP request processing by supplying non-ASCII decimals in the header, which may lead to unexpected parser mismatches. Remediation Upgra...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the unicode processing of HTTP header values. An attacker can bypass firewall or proxy protections by sending requests containing non-ASCII characters. Note: This is only exploitable if C extensions are not in...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the autodecompress feature in the ZLibDecompressor class. An attacker can exhaust system memory by sending a compressed request that, when decompressed, consumes excessive...

EUVD-2023-0003

Malicious code in bioql PyPI...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the SelectorSocketTransport.writelines method not draining its buffers, when Protocols are in use. An attacker can cause this behavior which eventually exhausts available memor...