Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-cb8t-3e3r-f3et
Summary
aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221)
## Impact

aiograpi 0.6.6 / 0.7.0 / 0.7.1 declared `orjson==3.11.6` (and later `==3.11.8`) in `requirements.txt` but `setup.py` carried a hard-coded duplicate `requirements = [...]` list that was never updated and still pinned `orjson==3.11.4`.

When `setuptools` builds the source distribution it reads the metadata from `setup.py`, not from `requirements.txt`. So `pip install aiograpi==0.6.6` (or 0.7.0 / 0.7.1) actually pulls `orjson==3.11.4` — a version vulnerable to **CVE-2025-67221** (stack overflow in `orjson.dumps` on deeply nested JSON inputs).

## Practical exploitability

Low in the typical aiograpi flow: `orjson` is used to encode request bodies aiograpi itself constructs and to decode responses returned by Instagram. An attacker would need to coerce aiograpi to encode an attacker-controlled deeply-nested Python structure or to decode an attacker-supplied stream — not the normal call shape.

However any caller doing `client.public_request(...)` or similar with caller-controlled payloads, or any caller passing aiograpi-decoded `last_json` into recursive serialization, may hit the unbounded recursion. The patched orjson rejects deeply-nested inputs cleanly.

## Patches

Fixed in **aiograpi 0.7.2** by migrating to `pyproject.toml` (PEP 621) — single source of truth for dependencies. PyPI installs of 0.7.2 and later resolve `orjson==3.11.8` correctly.

## Workarounds

Force-install a non-vulnerable orjson alongside the affected aiograpi version:

```
pip install 'aiograpi==0.7.1' 'orjson>=3.11.6'
```

Or just upgrade to a fixed aiograpi:

```
pip install -U 'aiograpi>=0.7.2'
```

## Resources

- orjson CVE-2025-67221 advisory: https://github.com/ijl/orjson/security/advisories
- aiograpi 0.7.2 changelog (security section): https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27
Aliases
0
alias GHSA-7mw3-79jq-xc7f
Fixed_packages
0
url pkg:pypi/aiograpi@0.7.2
purl pkg:pypi/aiograpi@0.7.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.7.2
Affected_packages
0
url pkg:pypi/aiograpi@0.6.6
purl pkg:pypi/aiograpi@0.6.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cb8t-3e3r-f3et
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.6.6
1
url pkg:pypi/aiograpi@0.7.0
purl pkg:pypi/aiograpi@0.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cb8t-3e3r-f3et
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.7.0
2
url pkg:pypi/aiograpi@0.7.1
purl pkg:pypi/aiograpi@0.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cb8t-3e3r-f3et
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.7.1
References
0
reference_url https://github.com/ijl/orjson/security/advisories
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/ijl/orjson/security/advisories
1
reference_url https://github.com/subzeroid/aiograpi
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/subzeroid/aiograpi
2
reference_url https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27
3
reference_url https://github.com/subzeroid/aiograpi/security/advisories/GHSA-7mw3-79jq-xc7f
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/subzeroid/aiograpi/security/advisories/GHSA-7mw3-79jq-xc7f
4
reference_url https://github.com/advisories/GHSA-7mw3-79jq-xc7f
reference_id GHSA-7mw3-79jq-xc7f
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7mw3-79jq-xc7f
Weaknesses
0
cwe_id 770
name Allocation of Resources Without Limits or Throttling
description The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score0.1 - 3
Exploitability0.5
Weighted_severity2.7
Risk_score1.4
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-cb8t-3e3r-f3et