GHSA-gvvw-rr8m-fj76
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gvvw-rr8m-fj76
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-gvvw-rr8m-fj76/GHSA-gvvw-rr8m-fj76.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-gvvw-rr8m-fj76
- Published
- 2025-01-27T12:30:28Z
- Modified
- 2025-02-19T19:59:23Z
- Summary
- uniapi version 1.0.7 contained an information harvesting script.
- Details
-
uniapi version 1.0.7 introduces code that would execute on import of the module and download a script from a remote URL, and would then execute the downloaded script in a thread. The downloaded script would harvest system information and
POSTthe information to another remote URL. This code was found in the PyPI release artifacts and was not present in the public GitHub repository. - Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-01-27T12:30:28Z" }- References
-
- https://github.com/kam193/package-campaigns/blob/main/pypi/campaigns/highly_suspicious/2025-01-uniapi.json
- https://github.com/pypa/advisory-database/tree/main/vulns/uniapi/PYSEC-2025-2.yaml
- https://inspector.pypi.io/project/uniapi/1.0.7/packages/0f/40/c6e06c22bbc22ef45f40bf5a7711763fa08fec4d16b4718d86fd60970131/uniapi-1.0.7.tar.gz/uniapi-1.0.7/uniapi/__init__.py#line.11
Affected packages
PyPI / uniapi
Package
- Name
- uniapi
- View open source insights on deps.dev
- Purl
- pkg:pypi/uniapi