VulnerableCode Package Details - pkg:rpm/redhat/automation-controller@4.6.25-1?arch=el9ap

Search for packages

Vulnerability	Summary	Fixed by
VCID-k122-7d38-2ug5 Aliases: CVE-2025-53643 GHSA-9548-qrrj-x5pj	AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections ### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ---- Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a	There are no reported fixed by versions.
VCID-sjws-ddnq-fke2 Aliases: CVE-2025-69223 GHSA-6mq8-rvhq-8wgg	AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb ### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a	There are no reported fixed by versions.
VCID-ukkt-wgau-t3et Aliases: CVE-2025-64460 GHSA-vrcr-9hj9-jcg6	Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.	There are no reported fixed by versions.
VCID-zevs-1ge5-y7g7 Aliases: CVE-2025-66471 GHSA-2xpw-w6gg-jr37	urllib3 streaming API improperly handles highly compressed data urllib3's [streaming API](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-k122-7d38-2ug5
Aliases:
CVE-2025-53643
GHSA-9548-qrrj-x5pj

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections ### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ---- Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

There are no reported fixed by versions.

VCID-sjws-ddnq-fke2
Aliases:
CVE-2025-69223
GHSA-6mq8-rvhq-8wgg

AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb ### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a

There are no reported fixed by versions.

VCID-ukkt-wgau-t3et
Aliases:
CVE-2025-64460
GHSA-vrcr-9hj9-jcg6

Django is vulnerable to DoS via XML serializer text extraction An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

There are no reported fixed by versions.

VCID-zevs-1ge5-y7g7
Aliases:
CVE-2025-66471
GHSA-2xpw-w6gg-jr37

urllib3 streaming API improperly handles highly compressed data urllib3's [streaming API](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T17:22:44.312589+00:00	RedHat Importer	Affected by	VCID-sjws-ddnq-fke2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json	38.1.0
2026-04-01T13:38:34.204670+00:00	RedHat Importer	Affected by	VCID-k122-7d38-2ug5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53643.json	38.0.0
2026-04-01T13:34:46.797641+00:00	RedHat Importer	Affected by	VCID-ukkt-wgau-t3et	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64460.json	38.0.0
2026-04-01T13:34:00.893723+00:00	RedHat Importer	Affected by	VCID-zevs-1ge5-y7g7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66471.json	38.0.0
2026-04-01T13:33:03.693020+00:00	RedHat Importer	Affected by	VCID-sjws-ddnq-fke2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69223.json	38.0.0