PYSEC-2025-221

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/vantage6-server/PYSEC-2025-221.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-221

Aliases

Published

2025-06-12T18:15:20.713Z

Modified

2026-05-20T09:19:21.163912Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0.

References

https://github.com/vantage6/vantage6/security/advisories/GHSA-m3mq-f375-5vgh

Affected packages

PyPI / vantage6-server

Package

Name: vantage6-server; View open source insights on deps.dev
Purl: pkg:pypi/vantage6-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.11.0

Affected versions

0.*

0.0.0b0

0.0.0b1

0.0.0b3

0.0.0

1.*

1.0.0b2

1.0.0b3

1.0.0b4

1.0.0b5

1.0.0b6

1.0.0b7

1.0.0b8

1.0.0b9

1.0.0b11

1.0.0b12

1.0.0b13

1.0.0b14

1.0.0

1.0.1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.3.post1

2.*

2.0.0a1

2.0.0a2

2.0.0a3

2.0.0

2.0.0.post1

2.0.1rc1

2.0.1rc2

2.1.0rc1

2.1.0

2.1.1

2.1.2

2.1.3b1

2.1.3b2

2.1.3b3

2.1.3b4

2.2.0b1

2.2.0b2

2.2.0b3

2.2.0b4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.3.0rc1

2.3.0rc2

2.3.0rc3

2.3.0rc4

2.3.0rc5

2.3.0

2.3.1

2.3.2rc1

2.3.2

2.3.3

2.3.4

2.3.5b1

2.3.5

3.*

3.0.0b1

3.0.0b3

3.0.0b4

3.0.0b5

3.0.0b6

3.0.0b7

3.0.0b8

3.0.0rc1

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0rc1

3.1.0rc5

3.1.0rc6

3.1.0rc7

3.1.0rc8

3.1.0rc9

3.1.0

3.1.1rc1

3.1.1rc2

3.2.0rc1

3.2.0rc2

3.2.0rc3

3.2.0rc4

3.2.0rc5

3.2.0

3.3.0a0

3.3.0rc1

3.3.0rc2

3.3.0rc3

3.3.0rc4

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7a2

3.3.7a3

3.3.7

3.3.8a1

3.3.8a2

3.3.8a4

3.3.8a5

3.3.8a6

3.3.8a7

3.3.8a8

3.4.0a1

3.4.0a2

3.4.0a3

3.4.0a6

3.4.0

3.4.1a0

3.4.1a1

3.4.1a2

3.4.1a3

3.4.1

3.4.2a0

3.4.2

3.4.3

3.5.0rc1

3.5.0rc2

3.5.0rc3

3.5.0

3.5.1

3.5.2

3.6.0

3.6.1rc1

3.6.1rc2

3.6.1rc3

3.6.1

3.7.0rc1

3.7.0rc2

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0rc3

3.8.0

3.8.1

3.8.2rc1

3.8.2

3.8.3

3.8.4

3.8.5

3.8.6

3.8.7rc1

3.8.7

3.8.8rc1

3.8.8rc2

3.8.8rc3

3.8.8

3.9.0rc2

3.9.0rc4

3.9.0

3.10.0rc1

3.10.0

3.10.1

3.10.3

3.10.4

3.11.0rc1

3.11.0rc2

3.11.0rc3

3.11.0

3.11.1

4.*

4.0.0a2

4.0.0a3

4.0.0a4

4.0.0a5

4.0.0a6

4.0.0a7

4.0.0a8

4.0.0a9

4.0.0a10

4.0.0

4.0.1rc2

4.0.1

4.0.2

4.0.3

4.1.0b0

4.1.0b1

4.1.0rc0

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0rc1

4.2.0rc2

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0b3

4.3.0b4

4.3.0b5

4.3.0b6

4.3.0rc1

4.3.0rc2

4.3.0

4.3.1

4.3.2rc2

4.3.2

4.3.4rc3

4.3.4

4.4.0rc3

4.4.0

4.4.1

4.5.0rc3

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.6.0rc3

4.6.0rc4

4.6.0rc5

4.6.0rc6

4.6.0rc7

4.6.0

4.6.1

4.7.0rc1

4.7.0rc2

4.7.0

4.7.1rc1

4.7.1

4.8.0rc1

4.8.0rc2

4.8.0rc3

4.8.0

4.8.1

4.8.2

4.9.0rc1

4.9.0

4.9.1

4.10.0rc1

4.10.0rc2

4.10.0rc3

4.10.0rc4

4.10.0

4.10.1rc1

4.10.1

4.10.2

4.11.0rc2

4.11.0rc3

4.11.0rc4

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/vantage6-server/PYSEC-2025-221.yaml"