PyPi: Sqlite-Vec

CVE-2024-46488

Safety vulnerability ID: 73494

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 25, 2024 Updated at Nov 20, 2024

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of sqlite-vec are vulnerable to heap-buffer overflow (CWE-125). This can result in memory corruption and application crashes when parsing specially crafted Numpy files. The vulnerability is triggered by an out-of-bounds read during token scanning in the npy_token_next function, caused by insufficient boundary checks before calling strncmp. Attackers can exploit this issue by supplying malicious Numpy files.

Affected package

sqlite-vec

Latest version: 0.1.6

None

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.5

CVSS v3 Details

MEDIUM 5.5

Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH