Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1057228?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1057228?format=api", "purl": "pkg:pypi/aiograpi@0.7.0", "type": "pypi", "namespace": "", "name": "aiograpi", "version": "0.7.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.7.2", "latest_non_vulnerable_version": "0.9.10", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360396?format=api", "vulnerability_id": "VCID-cb8t-3e3r-f3et", "summary": "aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221)\n## Impact\n\naiograpi 0.6.6 / 0.7.0 / 0.7.1 declared `orjson==3.11.6` (and later `==3.11.8`) in `requirements.txt` but `setup.py` carried a hard-coded duplicate `requirements = [...]` list that was never updated and still pinned `orjson==3.11.4`.\n\nWhen `setuptools` builds the source distribution it reads the metadata from `setup.py`, not from `requirements.txt`. So `pip install aiograpi==0.6.6` (or 0.7.0 / 0.7.1) actually pulls `orjson==3.11.4` — a version vulnerable to **CVE-2025-67221** (stack overflow in `orjson.dumps` on deeply nested JSON inputs).\n\n## Practical exploitability\n\nLow in the typical aiograpi flow: `orjson` is used to encode request bodies aiograpi itself constructs and to decode responses returned by Instagram. An attacker would need to coerce aiograpi to encode an attacker-controlled deeply-nested Python structure or to decode an attacker-supplied stream — not the normal call shape.\n\nHowever any caller doing `client.public_request(...)` or similar with caller-controlled payloads, or any caller passing aiograpi-decoded `last_json` into recursive serialization, may hit the unbounded recursion. The patched orjson rejects deeply-nested inputs cleanly.\n\n## Patches\n\nFixed in **aiograpi 0.7.2** by migrating to `pyproject.toml` (PEP 621) — single source of truth for dependencies. PyPI installs of 0.7.2 and later resolve `orjson==3.11.8` correctly.\n\n## Workarounds\n\nForce-install a non-vulnerable orjson alongside the affected aiograpi version:\n\n```\npip install 'aiograpi==0.7.1' 'orjson>=3.11.6'\n```\n\nOr just upgrade to a fixed aiograpi:\n\n```\npip install -U 'aiograpi>=0.7.2'\n```\n\n## Resources\n\n- orjson CVE-2025-67221 advisory: https://github.com/ijl/orjson/security/advisories\n- aiograpi 0.7.2 changelog (security section): https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27", "references": [ { "reference_url": "https://github.com/ijl/orjson/security/advisories", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ijl/orjson/security/advisories" }, { "reference_url": "https://github.com/subzeroid/aiograpi", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/subzeroid/aiograpi" }, { "reference_url": "https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27" }, { "reference_url": "https://github.com/subzeroid/aiograpi/security/advisories/GHSA-7mw3-79jq-xc7f", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/subzeroid/aiograpi/security/advisories/GHSA-7mw3-79jq-xc7f" }, { "reference_url": "https://github.com/advisories/GHSA-7mw3-79jq-xc7f", "reference_id": "GHSA-7mw3-79jq-xc7f", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7mw3-79jq-xc7f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/375956?format=api", "purl": "pkg:pypi/aiograpi@0.7.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.7.2" } ], "aliases": [ "GHSA-7mw3-79jq-xc7f" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cb8t-3e3r-f3et" } ], "fixing_vulnerabilities": [], "risk_score": "1.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.7.0" }