EUVD-2025-18201

Malicious code in bioql PyPI...

Vantage6 Server JWT secret not cryptographically secure

Impact The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent Patches No Workarounds You may define JWT secret key in the server configuration file...

GHSA-M3MQ-F375-5VGH Vantage6 Server JWT secret not cryptographically secure

Impact The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent Patches No Workarounds You may define JWT secret key in the server configuration file...

vantage6-algorithm-store (>=4.10.0 <=4.10.2), vantage6-node (>=0.0.0 <=4.10.2) +1 more potentially affected by CVE-2025-43863 via vantage6 (>=0.0.0 <=4.10.2)

vantage6 PYPI version =0.0.0, =4.10.0, =0.0.0, =0.0.0, =4.10.2 Source cves: CVE-2025-43863 Source advisory: OSV:GHSA-J6G5-P62X-58HW...

Insecure Randomness

Overview vantage6-server is a Vantage6 server Affected versions of this package are vulnerable to Insecure Randomness via the configureflask function, due to the predictable nature of the auto-generated secret key, an attacker can determine it and forge valid security tokens. This allows them to...

CVE-2025-43866 Vantage6 Server JWT secret not cryptographically secure

vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is...

CVE-2025-43866 Vantage6 Server JWT secret not cryptographically secure

vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is...

Brute Force

Overview vantage6-server is a Vantage6 server Affected versions of this package are vulnerable to Brute Force due to a lack of rate limiting on the password change functionality. An attacker who has gained access to an authenticated session can attempt to brute-force the user's password. They can...

vantage6-algorithm-store (>=4.3.0 <=4.15.0rc4), vantage6-node (>=0.0.0 <=4.15.0rc4) +1 more potentially affected by CVE-2024-32969 via vantage6 (>=0.0.0 <=4.5.0)

vantage6 PYPI version =0.0.0, =4.3.0, =0.0.0, =0.0.0, =4.15.0rc4 Source cves: CVE-2024-32969 Source advisory: OSV:GHSA-99R4-CJP4-3HMX...

PT-2024-20105 · Vantage6 · Vantage6

Name of the Vulnerable Software and Affected Versions: vantage6 affected versions not specified Description: The vantage6 server has no restrictions on CORS settings, which should be configurable to set allowed origins. The impact is limited because v6 does not use session cookies. Recommendation...

vantage6-algorithm-store (>=4.10.0 <=4.15.0rc4), vantage6-node (>=0.0.0 <=4.15.0rc4) +1 more potentially affected by CVE-2024-22193 via vantage6 (>=0.0.0 <=4.1.3)

vantage6 PYPI version =0.0.0, =4.10.0, =0.0.0, =0.0.0, =4.15.0rc4 Source cves: CVE-2024-22193 Source advisory: OSV:GHSA-RJMV-52MP-GJRR...

vantage6-node (>=0.0.0 <=3.11.1), vantage6-server (>=0.0.0 <=3.11.1) potentially affected by CVE-2023-28635 via vantage6 (>=0.0.0 <=3.9.0rc4)

vantage6 PYPI version =0.0.0, =0.0.0, =0.0.0, =3.11.1 Source cves: CVE-2023-28635 Source advisory: OSV:GHSA-7X94-6G2M-3HP2...

vantage6-node (>=0.0.0 <=3.11.1), vantage6-server (>=0.0.0 <=3.11.1) potentially affected by CVE-2023-41882 via vantage6 (>=0.0.0 <=3.9.0rc4)

vantage6 PYPI version =0.0.0, =0.0.0, =0.0.0, =3.11.1 Source cves: CVE-2023-41882 Source advisory: OSV:GHSA-GC57-XHH5-M94R...

vantage6-node (>=0.0.0 <=4.0.1rc2), vantage6-server (>=0.0.0 <=4.0.1rc2) potentially affected by CVE-2023-23930 via vantage6 (>=0.0.0 <=4.0.1rc2)

vantage6 PYPI version =0.0.0, =0.0.0, =0.0.0, =4.0.1rc2 Source cves: CVE-2023-23930 Source advisory: OSV:GHSA-5M22-CFQ9-86X6...

Improper Access Control

vantage6-server is vulnerable to Improper Access Control. The vulnerability is due to improper permission checks in the /api/collaboration/id/task endpoint which retrieves tasks from a collaboration. Vantage only checks if the user has permission to view the collaboration, but should also check i...

vantage6-node (>=0.0.0 <=3.11.1), vantage6-server (>=0.0.0 <=3.11.1) potentially affected by CVE-2023-41881 via vantage6 (>=0.0.0 <=3.9.0rc4)

vantage6 PYPI version =0.0.0, =0.0.0, =0.0.0, =3.11.1 Source cves: CVE-2023-41881 Source advisory: OSV:PYSEC-2023-200...

vantage6-node (>=3.7.0 <=3.8.0), vantage6-server (>=3.7.0 <=3.8.0) potentially affected by CVE-2023-22738 via vantage6 (>=3.7.0 <=3.8.0)

vantage6 PYPI version =3.7.0, =3.7.0, =3.7.0, =3.8.0 Source cves: CVE-2023-22738 Source advisory: OSV:PYSEC-2023-53...

vantage6-node (>=3.3.3 <=3.7.3), vantage6-server (>=3.3.3 <=3.7.3) potentially affected by CVE-2022-39228 via vantage6 (>=3.3.3 <=3.7.3)

vantage6 PYPI version =3.3.3, =3.3.3, =3.3.3, =3.7.3 Source cves: CVE-2022-39228 Source advisory: OSV:PYSEC-2023-52...

vantage6-node (>=0.0.0 <=3.11.1), vantage6-server (>=0.0.0 <=3.11.1) potentially affected by CVE-2022-39228 via vantage6 (>=0.0.0 <=3.7.3)

vantage6 PYPI version =0.0.0, =0.0.0, =0.0.0, =3.11.1 Source cves: CVE-2022-39228 Source advisory: OSV:GHSA-36GX-9Q6H-G429...