OSV - Open Source Vulnerabilities

GHSA-jj54-r8gm-2fcf

PyPI/dbt-mcp

dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

14 May

Fix available
Severity - 3.1 (Low)

GHSA-7xgw-6qf3-7w59

PyPI/dbt-mcp

dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

14 May

Fix available
Severity - 2.5 (Low)

GHSA-xpww-f6pm-cfhq

PyPI/dbt-mcp

dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

14 May

Fix available
Severity - 6.3 (Medium)

GHSA-w75w-9qv4-j5xj

PyPI/dbt-common

dbt-common's commonprefix() doesn't protect against path traversal

05 Mar

Fix available
Severity - 2.0 (Low)

MAL-2024-10413

PyPI/dbt-bytedhouse

Malicious code in dbt-bytedhouse (PyPI)

06 Nov 2024

No fix available

MAL-2024-10414

PyPI/dbt-byteshouse

Malicious code in dbt-byteshouse (PyPI)

06 Nov 2024

No fix available

GHSA-p3f3-5ccg-83xq

PyPI/dbt-core

dbt has an implicit override for built-in materializations from installed packages

17 Jul 2024

Fix available
Severity - 2.4 (Low)

PYSEC-2024-66

PyPI/dbt-core
github.com/dbt-labs/dbt-core

See record for full details

16 Jul 2024

Fix available
Severity - 7.8 (High)

MAL-2024-5028

PyPI/data-platform-dbt

Malicious code in data-platform-dbt (PyPI)

25 Jun 2024

No fix available

GHSA-pmrx-695r-4349

PyPI/dbt-core

dbt allows Binding to an Unrestricted IP Address via socketsocket

28 May 2024

Fix available
Severity - 5.3 (Medium)

GHSA-p72q-h37j-3hq7

PyPI/dbt-core

dbt uses a SQLparse version with a high vulnerability

22 Apr 2024

Fix available
Severity - 7.5 (High)

GHSA-j4g3-3q8x-jxqp

PyPI/dbt-core

dbt-core's secret env vars written to package-lock.json in plaintext

08 Dec 2023

Fix available
Severity - 3.2 (Low)