Vulnerability Report
- Name:
- carpediem-api-tasks
- Type:
- image
- Checksum:
- sha256:f21c0c94a0b747e8532d7527053f605bd2ac2d71f7d295edfd0891b1656760b8
- Date:
- 2026-01-07T04:58:58.63372162Z
Critical
1
High
1
Medium
7
Low
8
Unknown
0
| Name | Version | Type | Vulnerability | Severity | Risk | State | Fixed In | Description | Related URLs | PURL |
|---|---|---|---|---|---|---|---|---|---|---|
| python | 3.13.9 | binary | CVE-2025-12084 | Medium | 0.09% | fixed |
|
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | ["https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0","https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4","https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437","https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907","https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d","https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8","https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964","https://github.com/python/cpython/issues/142145","https://github.com/python/cpython/pull/142146"] | pkg:generic/python@3.13.9 |
| python | 3.13.9 | binary | CVE-2025-13836 | Critical | 0.07% | fixed |
|
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. | ["https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628","https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15","https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155","https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5","https://github.com/python/cpython/issues/119451","https://github.com/python/cpython/pull/119454","https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/"] | pkg:generic/python@3.13.9 |
| python | 3.13.9 | binary | CVE-2025-8291 | Medium | 0.06% | fixed |
|
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. | ["https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267","https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46","https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6","https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196","https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4","https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388","https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3","https://github.com/python/cpython/issues/139700","https://github.com/python/cpython/pull/139702","https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/","https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p","https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json"] | pkg:generic/python@3.13.9 |
| busybox | 1.37.0-r19 | apk | CVE-2025-60876 | Medium | 0.03% | N/A | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | ["https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092","https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm","https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm"] | pkg:apk/alpine/busybox@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2 | |
| busybox-binsh | 1.37.0-r19 | apk | CVE-2025-60876 | Medium | 0.03% | N/A | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | ["https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092","https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm","https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm"] | pkg:apk/alpine/busybox-binsh@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| ssl_client | 1.37.0-r19 | apk | CVE-2025-60876 | Medium | 0.03% | N/A | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | ["https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092","https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm","https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm"] | pkg:apk/alpine/ssl_client@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| urllib3 | 2.5.0 | python | GHSA-2xpw-w6gg-jr37 | High | 0.01% | fixed |
|
urllib3 streaming API improperly handles highly compressed data | [] | pkg:pypi/urllib3@2.5.0 |
| pip | 25.2 | python | GHSA-4xh5-x5gv-qwph | Medium | 0.01% | fixed |
|
pip's fallback tar extraction doesn't check symbolic links point to extraction directory | [] | pkg:pypi/pip@25.2 |
| filelock | 3.20.0 | python | GHSA-w853-jp5j-5j7f | Medium | 0.01% | fixed |
|
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation | [] | pkg:pypi/filelock@3.20.0 |
| busybox | 1.37.0-r19 | apk | CVE-2024-58251 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/busybox@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2 | |
| busybox-binsh | 1.37.0-r19 | apk | CVE-2024-58251 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/busybox-binsh@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| ssl_client | 1.37.0-r19 | apk | CVE-2024-58251 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/ssl_client@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| busybox | 1.37.0-r19 | apk | CVE-2025-46394 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/busybox@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2 | |
| busybox-binsh | 1.37.0-r19 | apk | CVE-2025-46394 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/busybox-binsh@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| ssl_client | 1.37.0-r19 | apk | CVE-2025-46394 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/ssl_client@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| python | 3.13.9 | binary | CVE-2025-13837 | Low | 0.01% | fixed |
|
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | ["https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b","https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70","https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba","https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb","https://github.com/python/cpython/issues/119342","https://github.com/python/cpython/pull/119343","https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/"] | pkg:generic/python@3.13.9 |
| python | 3.13.9 | binary | CVE-2025-6075 | Low | 0.00% | fixed |
|
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | ["https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c","https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427","https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84","https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca","https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742","https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba","https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c","https://github.com/python/cpython/issues/136065","https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/"] | pkg:generic/python@3.13.9 |