PYSEC-2025-6

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/colabrun/PYSEC-2025-6.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2025-6

Published

2025-02-26T21:45:57.721824Z

Modified

2025-02-26T20:59:48Z

Summary

Exfiltrates cookies to hardcoded IP address

Details

Published in 2021, the colabrun package is a Python library that exfiltrates user cookies to a hardcoded IP address. The package was found to exfiltrate user data to a hardcoded server, which could be used for malicious purposes.

References

https://inspector.pypi.io/project/colabrun/0.3/packages/89/28/3a932225fc02f6f6dc39d6232e3937011e11294551a985257c949eb4a7d3/colabrun-0.3.tar.gz/colabrun-0.3/colabrun/common/config.py#line.4
https://inspector.pypi.io/project/colabrun/0.3/packages/89/28/3a932225fc02f6f6dc39d6232e3937011e11294551a985257c949eb4a7d3/colabrun-0.3.tar.gz/colabrun-0.3/colabrun/common/utils.py#line.29

Credits

- Mike Fiedler - COORDINATOR

Affected packages

PyPI / colabrun

Package

Name: colabrun; View open source insights on deps.dev
Purl: pkg:pypi/colabrun

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/colabrun/PYSEC-2025-6.yaml"