{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360396?format=json","vulnerability_id":"VCID-cb8t-3e3r-f3et","summary":"aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221)\n## Impact\n\naiograpi 0.6.6 / 0.7.0 / 0.7.1 declared `orjson==3.11.6` (and later `==3.11.8`) in `requirements.txt` but `setup.py` carried a hard-coded duplicate `requirements = [...]` list that was never updated and still pinned `orjson==3.11.4`.\n\nWhen `setuptools` builds the source distribution it reads the metadata from `setup.py`, not from `requirements.txt`. So `pip install aiograpi==0.6.6` (or 0.7.0 / 0.7.1) actually pulls `orjson==3.11.4` — a version vulnerable to **CVE-2025-67221** (stack overflow in `orjson.dumps` on deeply nested JSON inputs).\n\n## Practical exploitability\n\nLow in the typical aiograpi flow: `orjson` is used to encode request bodies aiograpi itself constructs and to decode responses returned by Instagram. An attacker would need to coerce aiograpi to encode an attacker-controlled deeply-nested Python structure or to decode an attacker-supplied stream — not the normal call shape.\n\nHowever any caller doing `client.public_request(...)` or similar with caller-controlled payloads, or any caller passing aiograpi-decoded `last_json` into recursive serialization, may hit the unbounded recursion. The patched orjson rejects deeply-nested inputs cleanly.\n\n## Patches\n\nFixed in **aiograpi 0.7.2** by migrating to `pyproject.toml` (PEP 621) — single source of truth for dependencies. PyPI installs of 0.7.2 and later resolve `orjson==3.11.8` correctly.\n\n## Workarounds\n\nForce-install a non-vulnerable orjson alongside the affected aiograpi version:\n\n```\npip install 'aiograpi==0.7.1' 'orjson>=3.11.6'\n```\n\nOr just upgrade to a fixed aiograpi:\n\n```\npip install -U 'aiograpi>=0.7.2'\n```\n\n## Resources\n\n- orjson CVE-2025-67221 advisory: https://github.com/ijl/orjson/security/advisories\n- aiograpi 0.7.2 changelog (security section): https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27","aliases":[{"alias":"GHSA-7mw3-79jq-xc7f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375956?format=json","purl":"pkg:pypi/aiograpi@0.7.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.7.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1057227?format=json","purl":"pkg:pypi/aiograpi@0.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb8t-3e3r-f3et"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.6.6"},{"url":"http://public2.vulnerablecode.io/api/packages/1057228?format=json","purl":"pkg:pypi/aiograpi@0.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb8t-3e3r-f3et"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/1057229?format=json","purl":"pkg:pypi/aiograpi@0.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cb8t-3e3r-f3et"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aiograpi@0.7.1"}],"references":[{"reference_url":"https://github.com/ijl/orjson/security/advisories","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ijl/orjson/security/advisories"},{"reference_url":"https://github.com/subzeroid/aiograpi","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/subzeroid/aiograpi"},{"reference_url":"https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27"},{"reference_url":"https://github.com/subzeroid/aiograpi/security/advisories/GHSA-7mw3-79jq-xc7f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/subzeroid/aiograpi/security/advisories/GHSA-7mw3-79jq-xc7f"},{"reference_url":"https://github.com/advisories/GHSA-7mw3-79jq-xc7f","reference_id":"GHSA-7mw3-79jq-xc7f","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7mw3-79jq-xc7f"}],"weaknesses":[{"cwe_id":770,"name":"Allocation of Resources Without Limits or Throttling","description":"The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"0.1 - 3","exploitability":"0.5","weighted_severity":"2.7","risk_score":1.4,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cb8t-3e3r-f3et"}