VulnerableCode Package Details - pkg:pypi/vantage6@4.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-cc7t-us5t-ffbb Aliases: CVE-2025-43863 GHSA-j6g5-p62x-58hw PYSEC-2025-220	vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11.	4.11.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-cc7t-us5t-ffbb
Aliases:
CVE-2025-43863
GHSA-j6g5-p62x-58hw
PYSEC-2025-220

vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality: they can call that route infinitely which will return the message that password is wrong until it is correct. This vulnerability is fixed in 4.11.

4.11.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cwg5-wr8x-vuf3	vantage6's CORS settings overly permissive ### Impact The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies ### Patches No ### Workarounds No	CVE-2024-23823 GHSA-4946-85pr-fvxh
VCID-zvar-nu8h-8qd8	vantage6 vulnerable to a username timing attack on recover password/MFA token ### Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`, which send emails to users if they have lost their password or MFA token. Usernames can be found by assessing response time differences, and additionally, they can be found because the endpoint gives a response "Failed to login" if the username exists. ### Patches No ### Workarounds No	CVE-2024-24770 GHSA-5h3x-6gwf-73jm

Vulnerability

Summary

Aliases

VCID-cwg5-wr8x-vuf3

vantage6's CORS settings overly permissive ### Impact The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies ### Patches No ### Workarounds No

CVE-2024-23823
GHSA-4946-85pr-fvxh

VCID-zvar-nu8h-8qd8

vantage6 vulnerable to a username timing attack on recover password/MFA token ### Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes `/recover/lost` and `/2fa/lost`, which send emails to users if they have lost their password or MFA token. Usernames can be found by assessing response time differences, and additionally, they can be found because the endpoint gives a response "Failed to login" if the username exists. ### Patches No ### Workarounds No

CVE-2024-24770
GHSA-5h3x-6gwf-73jm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:47:22.966851+00:00	GitLab Importer	Fixing	VCID-zvar-nu8h-8qd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/vantage6/CVE-2024-24770.yml	38.6.0
2026-06-02T04:47:22.683711+00:00	GitLab Importer	Fixing	VCID-cwg5-wr8x-vuf3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/vantage6/CVE-2024-23823.yml	38.6.0
2026-06-02T04:23:09.547594+00:00	Pypa Importer	Affected by	VCID-cc7t-us5t-ffbb	https://github.com/pypa/advisory-database/blob/main/vulns/vantage6/PYSEC-2025-220.yaml	38.6.0