gevent 1.3.7 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the gevent package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M HTTP Request Smuggling Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of `pywsgi` `Input._send_100_continue`. An attacker could extract data or compromise data integrity by sending a request with an `Expect: 100-continue` header. How to fix HTTP Request Smuggling? Upgrade `gevent` to version 25.4.1 or higher.	[,25.4.1)
H Race Condition Affected versions of this package are vulnerable to Race Condition when the fallback socketpair implementation is used on platforms that lack native support and the vulnerable function does not properly authenticate the connected sockets. An attacker must be able to predict the address and port and establish a connection before the legitimate client. How to fix Race Condition? Upgrade `gevent` to version 24.10.1 or higher.	[,24.10.1)
C Trusting HTTP Permission Methods on the Server Side Affected versions of this package are vulnerable to Trusting HTTP Permission Methods on the Server Side when the `gevent.pywsgi` function is used. An attacker can craft invalid trailers in chunked requests on keep-alive connections that might appear as two requests to `gevent.pywsgi`. This could potentially bypass checks if an upstream server is filtering incoming requests based on paths or header fields and simply passing trailers through without validating them. An attacker could escalate privileges on the system via a crafted script to the WSGIServer component. Note: If the upstream server validated that the trailers meet the HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers. How to fix Trusting HTTP Permission Methods on the Server Side? Upgrade `gevent` to version 23.9.0 or higher.	[,23.9.0)

Vulnerability

Vulnerable Version

HTTP Request Smuggling

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of pywsgi Input._send_100_continue. An attacker could extract data or compromise data integrity by sending a request with an Expect: 100-continue header.

How to fix HTTP Request Smuggling?

Upgrade gevent to version 25.4.1 or higher.

[,25.4.1)

Race Condition

Affected versions of this package are vulnerable to Race Condition when the fallback socketpair implementation is used on platforms that lack native support and the vulnerable function does not properly authenticate the connected sockets. An attacker must be able to predict the address and port and establish a connection before the legitimate client.

How to fix Race Condition?

Upgrade gevent to version 24.10.1 or higher.

[,24.10.1)

Trusting HTTP Permission Methods on the Server Side

Affected versions of this package are vulnerable to Trusting HTTP Permission Methods on the Server Side when the gevent.pywsgi function is used. An attacker can craft invalid trailers in chunked requests on keep-alive connections that might appear as two requests to gevent.pywsgi. This could potentially bypass checks if an upstream server is filtering incoming requests based on paths or header fields and simply passing trailers through without validating them. An attacker could escalate privileges on the system via a crafted script to the WSGIServer component.

Note:

If the upstream server validated that the trailers meet the HTTP specification, this could not occur, because characters that are required in an HTTP request, like a space, are not allowed in trailers.

How to fix Trusting HTTP Permission Methods on the Server Side?

Upgrade gevent to version 23.9.0 or higher.

[,23.9.0)

gevent@1.3.7 vulnerabilities

Coroutine-based network library

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically