python-security
Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.
71 articles
urllib3 regular expression denial of service (CVE-2021-33503)
A deep dive into CVE-2021-33503, the urllib3 ReDoS flaw in Python's core HTTP library, its real-world exposure, and how to remediate it.
urllib3 cookie/auth header leak on cross-origin redirect (CVE-2023-43804)
CVE-2023-43804 lets urllib3 leak Cookie headers on cross-origin redirects. See affected versions, severity context, and how to remediate fast.
PyYAML full_load unsafe deserialization arbitrary code execution (CVE-2020-14343)
CVE-2020-14343 shows PyYAML's full_load/FullLoader "safe" fix was incomplete, enabling arbitrary code execution. Here's the fix and how to detect exposure.
PyYAML Loader arbitrary code execution (CVE-2017-18342)
PyYAML's default yaml.load() Loader lets attackers run arbitrary code via crafted YAML input. Here's how CVE-2017-18342 works and how to fix it.
IPython crafted directory code execution (CVE-2022-21699)
CVE-2022-21699 lets attackers plant crafted profile files in shared directories, triggering silent code execution when victims launch IPython or Jupyter sessions.
Python urllib.parse NFKC normalization blocklist bypass (CVE-2023-24329)
CVE-2023-24329 let attackers bypass URL blocklists via leading blank characters in Python's urllib.parse, enabling SSRF and filter evasion.
Python mailcap insecure shell command construction (CVE-2015-20107)
Python mailcap shell injection (CVE-2015-20107) lets attackers run arbitrary commands via unescaped filenames. Here is how to detect and fix it.
ctx and colourama PyPI typosquat malware incident
The ctx and colourama PyPI typosquatting malware incident shows how account takeover and name-squatting delivered credential-stealing code to devs.
Django str.format denial of service (CVE-2023-41164)
CVE-2023-41164 lets attackers DoS Django apps via a str.format() flaw in uri_to_iri(). Here's what's affected, severity context, and how to fix it.
Django admin ChangeList path traversal (CVE-2021-33203)
CVE-2021-33203 is a staff-only path traversal in Django's admindocs TemplateDetailView. Here's what's affected, its CVSS/EPSS profile, and how to remediate it.
Werkzeug multipart form-data denial of service (CVE-2019-1010083)
CVE-2019-1010083 lets attackers crash Flask apps via crafted multipart form-data. Here's the CVSS score, timeline, and how to fix the Werkzeug DoS flaw.
Werkzeug multipart parser DoS (CVE-2023-46136)
A crafted multipart upload could pin Werkzeug workers at 100% CPU with no auth required. Here's what CVE-2023-46136 affects and how to fix it.