Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/nanopb@0.4.4.dev1184

Type pypi

Namespace

Name nanopb

Version 0.4.4.dev1184

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.4.5

Latest_non_vulnerable_version 0.4.5

Affected_by_vulnerabilities

url VCID-95nd-te5z-cqbe

vulnerability_id VCID-95nd-te5z-cqbe

summary Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid `free()` or `realloc()` calls if the message type contains an `oneof` field, and the `oneof` directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-21401

reference_id

reference_type

scores

value	0.00809
scoring_system	epss
scoring_elements	0.74651
published_at	2026-06-11T12:55:00Z

value	0.00809
scoring_system	epss
scoring_elements	0.74722
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-21401

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21401
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21401

reference_url

https://github.com/nanopb/nanopb

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb

reference_url

https://github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1

reference_url

https://github.com/nanopb/nanopb/commit/4a375a560651a86726e5283be85a9231fd0efe9c

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/commit/4a375a560651a86726e5283be85a9231fd0efe9c

reference_url

https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261

reference_url

https://github.com/nanopb/nanopb/issues/647

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/issues/647

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/nanopb/PYSEC-2021-432.yaml

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/nanopb/PYSEC-2021-432.yaml

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985844
reference_id	985844
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985844

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-21401

reference_id

CVE-2021-21401

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-21401

reference_url

https://github.com/advisories/GHSA-7mv5-5mxh-qg88

reference_id

GHSA-7mv5-5mxh-qg88

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7mv5-5mxh-qg88

reference_url

https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88

reference_id

GHSA-7mv5-5mxh-qg88

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88

reference_url	https://usn.ubuntu.com/6121-1/
reference_id	USN-6121-1
reference_type
scores
url	https://usn.ubuntu.com/6121-1/

fixed_packages

url	pkg:pypi/nanopb@0.4.5
purl	pkg:pypi/nanopb@0.4.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/nanopb@0.4.5

aliases CVE-2021-21401, GHSA-7mv5-5mxh-qg88, PYSEC-2021-432

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-95nd-te5z-cqbe

url VCID-s8hz-wf29-c3bc

vulnerability_id VCID-s8hz-wf29-c3bc

summary Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26243.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26243.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-26243

reference_id

reference_type

scores

value	0.00528
scoring_system	epss
scoring_elements	0.67574
published_at	2026-06-11T12:55:00Z

value	0.00528
scoring_system	epss
scoring_elements	0.67663
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-26243

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26243
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26243

reference_url

https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt

reference_url

https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c

reference_url

https://github.com/nanopb/nanopb/issues/615

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/issues/615

reference_url

https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-26243

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-26243

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1902065
reference_id	1902065
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1902065

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975838
reference_id	975838
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975838

reference_url

https://github.com/advisories/GHSA-85rr-4rh9-hhwh

reference_id

GHSA-85rr-4rh9-hhwh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-85rr-4rh9-hhwh

reference_url	https://usn.ubuntu.com/6121-1/
reference_id	USN-6121-1
reference_type
scores
url	https://usn.ubuntu.com/6121-1/

fixed_packages

url pkg:pypi/nanopb@0.4.4

purl pkg:pypi/nanopb@0.4.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-95nd-te5z-cqbe

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nanopb@0.4.4

aliases CVE-2020-26243, GHSA-85rr-4rh9-hhwh

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s8hz-wf29-c3bc

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nanopb@0.4.4.dev1184

Package Instance