HIGH 7.5

PYSEC-2025-221

Details

vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is fixed in 4.11.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / vantage6-server

Introduced in: 0 Fixed in: 4.11.0

Fix pip install --upgrade 'vantage6-server>=4.11.0'

References

https://github.com/vantage6/vantage6/security/advisories/GHSA-m3mq-f375-5vgh [ADVISORY]