talkpipe 0.8.2a1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the talkpipe package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Missing Authentication for Critical Function talkpipe is a Python internal and external DSL for writing generative AI analytics Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the CORS middleware, which allowed requests from any origin `(*)`, without needing to provide any form of API key or valid authentication. An attacker can access and read streamed responses from the `/output-stream` route from a malicious website. How to fix Missing Authentication for Critical Function? Upgrade `talkpipe` to version 0.9.0a2 or higher.	[,0.9.0a2)
C Command Injection talkpipe is a Python internal and external DSL for writing generative AI analytics Affected versions of this package are vulnerable to Command Injection via the `talkpipe.util.os.run_command function` which use `subprocess.Popen(..., shell=True)` unsafe. An attacker can execute arbitrary operating system (OS) commands by injecting shell metacharacters, pipes, or command substitution sequences into the user-controlled command string. How to fix Command Injection? Upgrade `talkpipe` to version 0.9.0a2 or higher.	[,0.9.0a2)
C Eval Injection talkpipe is a Python internal and external DSL for writing generative AI analytics Affected versions of this package are vulnerable to Eval Injection due to using the function `eval()` unsafe in the `compileLambda` function in the `talkpipe/util/data_manipulation.py` file. An attacker can execute arbitrary Python code by injecting a malicious expression. How to fix Eval Injection? Upgrade `talkpipe` to version 0.9.0a2 or higher.	[,0.9.0a2)

Vulnerability

Vulnerable Version

Missing Authentication for Critical Function

talkpipe is a Python internal and external DSL for writing generative AI analytics

Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the CORS middleware, which allowed requests from any origin (*), without needing to provide any form of API key or valid authentication. An attacker can access and read streamed responses from the /output-stream route from a malicious website.

How to fix Missing Authentication for Critical Function?

Upgrade talkpipe to version 0.9.0a2 or higher.

[,0.9.0a2)

Command Injection

talkpipe is a Python internal and external DSL for writing generative AI analytics

Affected versions of this package are vulnerable to Command Injection via the talkpipe.util.os.run_command function which use subprocess.Popen(..., shell=True) unsafe. An attacker can execute arbitrary operating system (OS) commands by injecting shell metacharacters, pipes, or command substitution sequences into the user-controlled command string.

How to fix Command Injection?

Upgrade talkpipe to version 0.9.0a2 or higher.

[,0.9.0a2)

Eval Injection

talkpipe is a Python internal and external DSL for writing generative AI analytics

Affected versions of this package are vulnerable to Eval Injection due to using the function eval() unsafe in the compileLambda function in the talkpipe/util/data_manipulation.py file. An attacker can execute arbitrary Python code by injecting a malicious expression.

How to fix Eval Injection?

Upgrade talkpipe to version 0.9.0a2 or higher.

[,0.9.0a2)

talkpipe@0.8.2a1 vulnerabilities

Python internal and external DSL for writing generative AI analytics

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically