top | item 45531840

(no title)

nisten | 4 months ago

half readable color scheme.. random python and javascript mixed in, ships with 2 python CVEs out of the box out of 5 total dependencies... yep it checks out bois...certified infested slop

  python-socketio==5.8.0: 1 CVE (CVE-2025-61765); Remote Code Execution via malicious pickle deserialization in multi-server setups.
  eventlet==0.33.3: 1 CVE (CVE-2025-58068); HTTP request smuggling from improper trailer handling.

And then economists wonder why are none of these people getting jobs...

discuss

pixl97|4 months ago

I mean the python-socketio is from a few days ago and likely doesn't affect this package (it's not using message queues, right?)

Eventlet .33 is ancient, no idea why they would use that.

With this said, most people should have some kind of SCA to ensure they're not using ancient packages. Conversely picking up a package the day it's released has bit a lot of people when the repository in question gets pwned.