Vulnerability Research in popular Open Source libraries

Content Summary

I will be uploading a write-up for almost all in different folders organized by year, and CVE ID/GHSA ID or alike. Not including yet-unpublished vulnerabilities

1.CVE-2022-40897

ReDoS in Setuptools. #5 most downloaded package in PyPI, November 2022.

2. CVE-2022-40898

ReDoS in Wheel. #13, PyPI, November 2022.

3. CVE-2022-36087

ReDoS in Oauthlib. #31, PyPI, August 2022.

4. CVE-2022-40899

ReDoS in Future. #101, PyPI, November 2022.

5. CVE-2022-42969

ReDoS in Py. #114, PyPI, November 2022.

6. CVE-2022-40023

ReDoS in Mako. #150, PyPI, August 2022.

7. CVE-2022-37189

XXE in MEI2Volpiano. PyPI, 2022.

8. CVE-2023-32758

ReDoS in Git-url-parse. #4052, PyPI, May 2023.

And in Semgrep. #2346, PyPI, May 2023.

9. CVE-2022-40896

ReDoS in Pygments. #85, PyPI, May 2023.

10. CVE-2023-4863

Bundled vulnerable libwebp in Pywebp. PyPI, 2023.

11. CVE-2023-38545

Bundled vulnerable libcurl in Curl_cffi. #2366, PyPI, Oct 2024.

12. CVE-2023-45853

Heap Overflow in Pyminizip. #2704, PyPI, Feb 2024.

13. CVE-2024-27088

ReDoS in Es5-ext. Top 5000 most downloaded, NPM, 2024.

14. CVE-2024-41124

No HTTPs in Puncia. PyPI, 2024.

15. CVE-2025-46726

XXE in Langroid. #12163, PyPI, May 2025.

16. CVE-2025-47273

Path Traversal leading to AFO in Setuptools. #8, PyPI, May 2025.

17. CVE-2025-46724

Code Injection leading to RCE in Langroid. #12163, PyPI, May 2025.

18. CVE-2025-46725

Code Injection leading to RCE in Langroid. #12163, PyPI, May 2025.