CVE-2026-47157

MEDIUM6.5

aiograpi: Unsafe signup challenge path handling

發布日:2026/5/23修改日:2026/5/23

描述

aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intended Instagram host with the client\'s existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.

受影響套件(1)

PyPI/aiograpifrom 0, < 0.9.10

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

參考連結(2)

PATCHhttps://github.com/subzeroid/aiograpi
WEBhttps://github.com/subzeroid/aiograpi/security/advisories/GHSA-jh37-x3fv-4x72