GHSA-7MW3-79JQ-XC7F
Vulnerability from github – Published: 2026-05-06 22:06 – Updated: 2026-05-06 22:06Impact
aiograpi 0.6.6 / 0.7.0 / 0.7.1 declared orjson==3.11.6 (and later ==3.11.8) in requirements.txt but setup.py carried a hard-coded duplicate requirements = [...] list that was never updated and still pinned orjson==3.11.4.
When setuptools builds the source distribution it reads the metadata from setup.py, not from requirements.txt. So pip install aiograpi==0.6.6 (or 0.7.0 / 0.7.1) actually pulls orjson==3.11.4 — a version vulnerable to CVE-2025-67221 (stack overflow in orjson.dumps on deeply nested JSON inputs).
Practical exploitability
Low in the typical aiograpi flow: orjson is used to encode request bodies aiograpi itself constructs and to decode responses returned by Instagram. An attacker would need to coerce aiograpi to encode an attacker-controlled deeply-nested Python structure or to decode an attacker-supplied stream — not the normal call shape.
However any caller doing client.public_request(...) or similar with caller-controlled payloads, or any caller passing aiograpi-decoded last_json into recursive serialization, may hit the unbounded recursion. The patched orjson rejects deeply-nested inputs cleanly.
Patches
Fixed in aiograpi 0.7.2 by migrating to pyproject.toml (PEP 621) — single source of truth for dependencies. PyPI installs of 0.7.2 and later resolve orjson==3.11.8 correctly.
Workarounds
Force-install a non-vulnerable orjson alongside the affected aiograpi version:
pip install 'aiograpi==0.7.1' 'orjson>=3.11.6'
Or just upgrade to a fixed aiograpi:
pip install -U 'aiograpi>=0.7.2'
Resources
- orjson CVE-2025-67221 advisory: https://github.com/ijl/orjson/security/advisories
- aiograpi 0.7.2 changelog (security section): https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aiograpi"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.6"
},
{
"fixed": "0.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T22:06:11Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Impact\n\naiograpi 0.6.6 / 0.7.0 / 0.7.1 declared `orjson==3.11.6` (and later `==3.11.8`) in `requirements.txt` but `setup.py` carried a hard-coded duplicate `requirements = [...]` list that was never updated and still pinned `orjson==3.11.4`.\n\nWhen `setuptools` builds the source distribution it reads the metadata from `setup.py`, not from `requirements.txt`. So `pip install aiograpi==0.6.6` (or 0.7.0 / 0.7.1) actually pulls `orjson==3.11.4` \u2014 a version vulnerable to **CVE-2025-67221** (stack overflow in `orjson.dumps` on deeply nested JSON inputs).\n\n## Practical exploitability\n\nLow in the typical aiograpi flow: `orjson` is used to encode request bodies aiograpi itself constructs and to decode responses returned by Instagram. An attacker would need to coerce aiograpi to encode an attacker-controlled deeply-nested Python structure or to decode an attacker-supplied stream \u2014 not the normal call shape.\n\nHowever any caller doing `client.public_request(...)` or similar with caller-controlled payloads, or any caller passing aiograpi-decoded `last_json` into recursive serialization, may hit the unbounded recursion. The patched orjson rejects deeply-nested inputs cleanly.\n\n## Patches\n\nFixed in **aiograpi 0.7.2** by migrating to `pyproject.toml` (PEP 621) \u2014 single source of truth for dependencies. PyPI installs of 0.7.2 and later resolve `orjson==3.11.8` correctly.\n\n## Workarounds\n\nForce-install a non-vulnerable orjson alongside the affected aiograpi version:\n\n```\npip install \u0027aiograpi==0.7.1\u0027 \u0027orjson\u003e=3.11.6\u0027\n```\n\nOr just upgrade to a fixed aiograpi:\n\n```\npip install -U \u0027aiograpi\u003e=0.7.2\u0027\n```\n\n## Resources\n\n- orjson CVE-2025-67221 advisory: https://github.com/ijl/orjson/security/advisories\n- aiograpi 0.7.2 changelog (security section): https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27",
"id": "GHSA-7mw3-79jq-xc7f",
"modified": "2026-05-06T22:06:11Z",
"published": "2026-05-06T22:06:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/subzeroid/aiograpi/security/advisories/GHSA-7mw3-79jq-xc7f"
},
{
"type": "WEB",
"url": "https://github.com/ijl/orjson/security/advisories"
},
{
"type": "PACKAGE",
"url": "https://github.com/subzeroid/aiograpi"
},
{
"type": "WEB",
"url": "https://github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md#072--2026-04-27"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.