eth_brownie-1.19.0-py3-none-any.whl: 74 vulnerabilities (highest severity is: 9.8) #22
Description
Vulnerable Library - eth_brownie-1.19.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/requests-2.27.1.dist-info
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (eth_brownie version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-24563 |  Critical |
9.8 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-24561 | Critical |
9.8 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2025-27105 | Critical |
9.1 | vyper-0.3.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2026-21441 |  High |
8.6 | urllib3-1.26.9-py2.py3-none-any.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-66471 | High |
8.6 | urllib3-1.26.9-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-66418 | High |
8.6 | urllib3-1.26.9-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2022-29255 | High |
8.2 | vyper-0.3.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2023-42443 | High |
8.1 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2025-69229 | High |
7.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-69228 | High |
7.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-69227 | High |
7.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-69223 | High |
7.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-53643 | High |
7.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-4565 | High |
7.5 | protobuf-3.20.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Transitive | 1.19.1 | ❌ |
| CVE-2025-27104 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-26622 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-21607 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2024-39689 | High |
7.5 | certifi-2022.5.18.1-py3-none-any.whl | Transitive | 1.21.0 | ❌ |
| CVE-2024-3651 | High |
7.5 | idna-3.3-py3-none-any.whl | Transitive | 1.19.1 | ❌ |
| CVE-2024-30251 | High |
7.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2023-46247 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-37920 | High |
7.5 | certifi-2022.5.18.1-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-32059 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-32058 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-31146 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-30837 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-30629 | High |
7.5 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2022-40898 | High |
7.5 | wheel-0.37.1-py2.py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2022-1941 | High |
7.5 | protobuf-3.20.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl | Transitive | 1.19.2 | ❌ |
| CVE-2022-29217 | High |
7.4 | PyJWT-1.7.1-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2024-22419 | High |
7.3 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2023-49081 | High |
7.2 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.20.0 | ❌ |
| CVE-2022-23491 |  Medium |
6.8 | certifi-2022.5.18.1-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-69230 | Medium |
6.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-69224 | Medium |
6.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2024-23829 | Medium |
6.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.20.0 | ❌ |
| CVE-2024-27306 | Medium |
6.1 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2023-32681 | Medium |
6.1 | requests-2.27.1-py2.py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2024-23334 | Medium |
5.9 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-43804 | Medium |
5.9 | urllib3-1.26.9-py2.py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2022-1930 | Medium |
5.9 | eth_account-0.5.7-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2024-35195 | Medium |
5.6 | requests-2.27.1-py2.py3-none-any.whl | Transitive | 1.21.0 | ❌ |
| CVE-2022-40896 | Medium |
5.5 | Pygments-2.12.0-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2022-33124 | Medium |
5.5 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | N/A* | ❌ |
| CVE-2025-69226 | Medium |
5.3 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-69225 | Medium |
5.3 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2025-50181 | Medium |
5.3 | urllib3-1.26.9-py2.py3-none-any.whl | Transitive | 1.19.1 | ❌ |
| CVE-2025-47774 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2025-47285 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2024-52304 | Medium |
5.3 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.21.0 | ❌ |
| CVE-2024-47081 | Medium |
5.3 | requests-2.27.1-py2.py3-none-any.whl | Transitive | 1.19.1 | ❌ |
| CVE-2024-32649 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-32648 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2024-32647 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-32646 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-32645 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-21503 | Medium |
5.3 | black-22.3.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | Transitive | N/A* | ❌ |
| CVE-2023-49082 | Medium |
5.3 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-47627 | Medium |
5.3 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-42441 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-37902 | Medium |
5.3 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-37276 | Medium |
5.3 | aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl | Transitive | 1.20.0 | ❌ |
| CVE-2024-34062 | Medium |
4.8 | tqdm-4.64.0-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
| CVE-2024-24567 | Medium |
4.8 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-37891 | Medium |
4.4 | urllib3-1.26.9-py2.py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| WS-2023-0428 | Medium |
4.3 | eth_abi-2.1.1-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-45803 | Medium |
4.2 | urllib3-1.26.9-py2.py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2024-26149 |  Low |
3.7 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-24564 | Low |
3.7 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-24560 | Low |
3.7 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2024-24559 | Low |
3.7 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.7 | ❌ |
| CVE-2023-41052 | Low |
3.7 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-40015 | Low |
3.7 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
| CVE-2023-32675 | Low |
3.7 | vyper-0.3.3-py3-none-any.whl | Transitive | 1.20.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (13 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2024-24563
Vulnerable Library - vyper-0.3.3-py3-none-any.whl
Vyper: the Pythonic Programming Language for the EVM
Library home page: https://files.pythonhosted.org/packages/9f/d5/46fc6d82a6de7950f88d93bef191dd6bdfb038f04e08f38ff8c1e5b236d1/vyper-0.3.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/vyper-0.3.3.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ vyper-0.3.3-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting the usage of an "int" as an index for an array. The typechecker allows the usage of signed integers to be used as indexes to arrays. The vulnerability is present in different forms in all versions, including "0.3.10". For ints, the 2's complement representation is used. Because the array was declared very large, the bounds checking will pass Negative values will simply be represented as very large numbers. As of time of publication, a fixed version does not exist.
There are three potential vulnerability classes: unpredictable behavior, accessing inaccessible elements and denial of service. Class 1: If it is possible to index an array with a negative integer without reverting, this is most likely not anticipated by the developer and such accesses can cause unpredictable behavior for the contract. Class 2: If a contract has an invariant in the form "assert index < x", the developer will suppose that no elements on indexes "y | y >= x" are accessible. However, by using negative indexes, this can be bypassed. Class 3: If the index is dependent on the state of the contract, this poses a risk of denial of service. If the state of the contract can be manipulated in such way that the index will be forced to be negative, the array access can always revert (because most likely the array won't be declared extremely large). However, all these the scenarios are highly unlikely. Most likely behavior is a revert on the bounds check.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-02-07
URL: CVE-2024-24563
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-52xq-j7v9-v4v2
Release Date: 2024-02-07
Fix Resolution (vyper): 0.4.0
Direct dependency fix Resolution (eth-brownie): 1.20.7
Step up your Open Source Security Game with Mend here
CVE-2024-24561
Vulnerable Library - vyper-0.3.3-py3-none-any.whl
Vyper: the Pythonic Programming Language for the EVM
Library home page: https://files.pythonhosted.org/packages/9f/d5/46fc6d82a6de7950f88d93bef191dd6bdfb038f04e08f38ff8c1e5b236d1/vyper-0.3.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/vyper-0.3.3.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ vyper-0.3.3-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-02-01
URL: CVE-2024-24561
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9x7f-gwxq-6f2c
Release Date: 2024-02-01
Fix Resolution (vyper): 0.4.0
Direct dependency fix Resolution (eth-brownie): 1.20.7
Step up your Open Source Security Game with Mend here
CVE-2025-27105
Vulnerable Library - vyper-0.3.3-py3-none-any.whl
Vyper: the Pythonic Programming Language for the EVM
Library home page: https://files.pythonhosted.org/packages/9f/d5/46fc6d82a6de7950f88d93bef191dd6bdfb038f04e08f38ff8c1e5b236d1/vyper-0.3.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/vyper-0.3.3.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ vyper-0.3.3-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. This issue has been addressed in version 0.4.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2025-02-21
URL: CVE-2025-27105
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-4w26-8p97-f4jp
Release Date: 2025-02-21
Fix Resolution: vyper - 0.4.1
Step up your Open Source Security Game with Mend here
CVE-2026-21441
Vulnerable Library - urllib3-1.26.9-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ec/03/062e6444ce4baf1eac17a6a0ebfe36bb1ad05e1df0e20b110de59c278498/urllib3-1.26.9-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/urllib3-1.26.9.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ urllib3-1.26.9-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP "Content-Encoding" header (e.g., "gzip", "deflate", "br", or "zstd"). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting "preload_content=False" when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when "preload_content=False". If upgrading is not immediately possible, disable redirects by setting "redirect=False" for requests to untrusted source.
Publish Date: 2026-01-07
URL: CVE-2026-21441
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-38jv-5279-wg99
Release Date: 2026-01-07
Fix Resolution (urllib3): 2.6.3
Direct dependency fix Resolution (eth-brownie): 1.21.0
Step up your Open Source Security Game with Mend here
CVE-2025-66471
Vulnerable Library - urllib3-1.26.9-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ec/03/062e6444ce4baf1eac17a6a0ebfe36bb1ad05e1df0e20b110de59c278498/urllib3-1.26.9-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/urllib3-1.26.9.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ urllib3-1.26.9-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.
Publish Date: 2025-12-05
URL: CVE-2025-66471
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-2xpw-w6gg-jr37
Release Date: 2025-12-05
Fix Resolution: urllib3 - 2.6.0,https://github.com/urllib3/urllib3.git - 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2025-66418
Vulnerable Library - urllib3-1.26.9-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/ec/03/062e6444ce4baf1eac17a6a0ebfe36bb1ad05e1df0e20b110de59c278498/urllib3-1.26.9-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/urllib3-1.26.9.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ urllib3-1.26.9-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
Publish Date: 2025-12-05
URL: CVE-2025-66418
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-05
Fix Resolution: https://github.com/urllib3/urllib3.git - 2.6.0,urllib3 - 2.6.0
Step up your Open Source Security Game with Mend here
CVE-2022-29255
Vulnerable Library - vyper-0.3.3-py3-none-any.whl
Vyper: the Pythonic Programming Language for the EVM
Library home page: https://files.pythonhosted.org/packages/9f/d5/46fc6d82a6de7950f88d93bef191dd6bdfb038f04e08f38ff8c1e5b236d1/vyper-0.3.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/vyper-0.3.3.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ vyper-0.3.3-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions prior to 0.3.4 when a calling an external contract with no return value, the contract address (including side effects) could be evaluated twice. This may result in incorrect outcomes for contracts. This issue has been addressed in v0.3.4.
Publish Date: 2022-06-06
URL: CVE-2022-29255
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
Step up your Open Source Security Game with Mend here
CVE-2023-42443
Vulnerable Library - vyper-0.3.3-py3-none-any.whl
Vyper: the Pythonic Programming Language for the EVM
Library home page: https://files.pythonhosted.org/packages/9f/d5/46fc6d82a6de7950f88d93bef191dd6bdfb038f04e08f38ff8c1e5b236d1/vyper-0.3.3-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/vyper-0.3.3.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ vyper-0.3.3-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). In version 0.3.9 and prior, under certain conditions, the memory used by the builtins "raw_call", "create_from_blueprint" and "create_copy_of" can be corrupted. For "raw_call", the argument buffer of the call can be corrupted, leading to incorrect "calldata" in the sub-context. For "create_from_blueprint" and "create_copy_of", the buffer for the to-be-deployed bytecode can be corrupted, leading to deploying incorrect bytecode.
Each builtin has conditions that must be fulfilled for the corruption to happen. For "raw_call", the "data" argument of the builtin must be "msg.data" and the "value" or "gas" passed to the builtin must be some complex expression that results in writing to the memory. For "create_copy_of", the "value" or "salt" passed to the builtin must be some complex expression that results in writing to the memory. For "create_from_blueprint", either no constructor parameters should be passed to the builtin or "raw_args" should be set to True, and the "value" or "salt" passed to the builtin must be some complex expression that results in writing to the memory.
As of time of publication, no patched version exists. The issue is still being investigated, and there might be other cases where the corruption might happen. When the builtin is being called from an "internal" function "F", the issue is not present provided that the function calling "F" wrote to memory before calling "F". As a workaround, the complex expressions that are being passed as kwargs to the builtin should be cached in memory prior to the call to the builtin.
Publish Date: 2023-09-18
URL: CVE-2023-42443
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-c647-pxm2-c52w
Release Date: 2023-09-18
Fix Resolution (vyper): 0.3.10
Direct dependency fix Resolution (eth-brownie): 1.20.0
Step up your Open Source Security Game with Mend here
CVE-2025-69229
Vulnerable Library - aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/aiohttp-3.8.1.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.
Publish Date: 2026-01-05
URL: CVE-2025-69229
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-g84x-mcqj-x9qq
Release Date: 2026-01-06
Fix Resolution (aiohttp): 3.13.3
Direct dependency fix Resolution (eth-brownie): 1.21.0
Step up your Open Source Security Game with Mend here
CVE-2025-69228
Vulnerable Library - aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/aiohttp-3.8.1.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
Publish Date: 2026-01-05
URL: CVE-2025-69228
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6jhg-hg63-jvvf
Release Date: 2026-01-06
Fix Resolution (aiohttp): 3.13.3
Direct dependency fix Resolution (eth-brownie): 1.21.0
Step up your Open Source Security Game with Mend here
CVE-2025-69227
Vulnerable Library - aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/aiohttp-3.8.1.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.
Publish Date: 2026-01-05
URL: CVE-2025-69227
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jj3x-wxrx-4x23
Release Date: 2026-01-06
Fix Resolution (aiohttp): 3.13.3
Direct dependency fix Resolution (eth-brownie): 1.21.0
Step up your Open Source Security Game with Mend here
CVE-2025-69223
Vulnerable Library - aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/aiohttp-3.8.1.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
Publish Date: 2026-01-05
URL: CVE-2025-69223
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6mq8-rvhq-8wgg
Release Date: 2026-01-05
Fix Resolution (aiohttp): 3.13.3
Direct dependency fix Resolution (eth-brownie): 1.21.0
Step up your Open Source Security Game with Mend here
CVE-2025-53643
Vulnerable Library - aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251123120822_PATZQW/python_RBFPHF/202511231210201/env/lib/python3.9/site-packages/aiohttp-3.8.1.dist-info
Dependency Hierarchy:
- eth_brownie-1.19.0-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.8.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 0f1cc4f79fdab9e4d90aa9caf963ea2e271c0183
Found in base branch: main
Vulnerability Details
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
Publish Date: 2025-07-14
URL: CVE-2025-53643
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9548-qrrj-x5pj
Release Date: 2025-07-14
Fix Resolution (aiohttp): 3.12.14
Direct dependency fix Resolution (eth-brownie): 1.21.0
Step up your Open Source Security Game with Mend here