🛡️ Security Scan Report

Trivy Vulnerability & Secret Scanner
Service: eizen-vip-face-authentication-api
Branch: milvus_develop
Build: #250
Date: 2026-06-24 12:14:33

0

Critical

27

High

35

Medium

0

Low

0

Secrets

2

Misconfig

🔴 Vulnerabilities (60)
SeverityCVE IDPackageInstalledFixed InDescription
HIGH CVE-2025-69223 aiohttp 3.13.2 3.13.3 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
MEDIUM CVE-2025-69227 aiohttp 3.13.2 3.13.3 aiohttp: aiohttp: Denial of Service via specially crafted POST request
MEDIUM CVE-2025-69228 aiohttp 3.13.2 3.13.3 aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST request
MEDIUM CVE-2025-69229 aiohttp 3.13.2 3.13.3 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handling
MEDIUM CVE-2026-22815 aiohttp 3.13.2 3.13.4 aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handling
MEDIUM CVE-2026-34515 aiohttp 3.13.2 3.13.4 aiohttp: AIOHTTP: Information disclosure via static resource handler on Windows
MEDIUM CVE-2026-34516 aiohttp 3.13.2 3.13.4 aiohttp: AIOHTTP: Denial of Service via excessive multipart headers
MEDIUM CVE-2026-34525 aiohttp 3.13.2 3.13.4 aiohttp: aiohttp: Security bypass via multiple Host headers
MEDIUM CVE-2026-34993 aiohttp 3.13.2 3.14.0 aiohttp: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load()
MEDIUM CVE-2026-47265 aiohttp 3.13.2 3.14.0 python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin
MEDIUM CVE-2026-54273 aiohttp 3.13.2 3.14.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
MEDIUM CVE-2026-54274 aiohttp 3.13.2 3.14.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
MEDIUM CVE-2026-54276 aiohttp 3.13.2 3.14.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
MEDIUM CVE-2026-54277 aiohttp 3.13.2 3.14.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
MEDIUM CVE-2026-54278 aiohttp 3.13.2 3.14.1 AIOHTTP is an asynchronous HTTP client/server framework for asyncio an ...
MEDIUM CVE-2025-68146 filelock 3.19.1 3.20.1 filelock: filelock: Time-of-Check-Time-of-Use (TOCTOU) race condition and symlink attack allows arbi
MEDIUM CVE-2026-22701 filelock 3.19.1 3.20.3 filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in SoftFileLock
MEDIUM CVE-2026-45409 idna 3.10 3.15 Internationalized Domain Names in Applications (IDNA) for Python provi ...
HIGH GHSA-6v7p-g79w-8964 msgpack 1.1.2 1.2.1 MessagePack for Python: Out-of-bounds read / crash on Unpacker reuse after a caught error
HIGH CVE-2026-27489 onnx 1.17.0 1.21.0 onnx: ONNX: Information Disclosure via Path Traversal Vulnerability
HIGH CVE-2026-28500 onnx 1.17.0 1.21.0rc1 onnx: ONNX: Untrusted Model Repository Warnings Suppressed
HIGH CVE-2026-34445 onnx 1.17.0 1.21.0 ONNX: ONNX: Denial of Service and potential information disclosure via malicious model metadata
HIGH GHSA-q56x-g2fj-4rj6 onnx 1.17.0 1.21.0 ONNX: TOCTOU arbitrary file read/write in save_external_dat
MEDIUM CVE-2026-34446 onnx 1.17.0 1.21.0 onnx: ONNX: Information disclosure through hardlink path traversal
MEDIUM CVE-2026-34447 onnx 1.17.0 1.21.0 Open Neural Network Exchange (ONNX) is an open standard for machine le ...
HIGH CVE-2026-25990 pillow 12.0.0 12.1.1 pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image
HIGH CVE-2026-40192 pillow 12.0.0 12.2.0 Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
HIGH CVE-2026-42311 pillow 12.0.0 12.2.0 Pillow is a Python imaging library. From version 10.3.0 to before vers ...
MEDIUM CVE-2026-42308 pillow 12.0.0 12.2.0 Pillow: python: Pillow: Denial of Service via integer overflow in font processing
MEDIUM CVE-2026-42309 pillow 12.0.0 12.2.0 Pillow: Pillow: Denial of Service via specially crafted coordinate input
MEDIUM CVE-2026-42310 pillow 12.0.0 12.2.0 Pillow: Pillow: Denial of Service via malicious PDF processing
HIGH CVE-2026-0994 protobuf 6.33.2 6.33.5, 5.29.6 python: protobuf: Protobuf: Denial of Service due to recursion depth bypass
MEDIUM CVE-2026-28684 python-dotenv 1.1.0 1.2.2 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following
HIGH CVE-2026-24486 python-multipart 0.0.20 0.0.22 python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
HIGH CVE-2026-42561 python-multipart 0.0.20 0.0.27 Python-Multipart is a streaming multipart parser for Python. Prior to ...
HIGH CVE-2026-53539 python-multipart 0.0.20 0.0.30 Python-Multipart is a streaming multipart parser for Python. Prior to ...
MEDIUM CVE-2026-40347 python-multipart 0.0.20 0.0.26 python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests
MEDIUM CVE-2026-25645 requests 2.32.5 2.33.0 requests: Requests: Security bypass due to predictable temporary file creation
HIGH CVE-2026-48818 starlette 0.50.0 1.1.0 starlette: Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
HIGH CVE-2026-54283 starlette 0.50.0 1.3.1 Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1. ...
MEDIUM CVE-2026-48710 starlette 0.50.0 1.0.1 starlette: Starlette: Security restriction bypass via malformed HTTP Host header
MEDIUM CVE-2026-48817 starlette 0.50.0 1.1.0 starlette: Starlette: Information disclosure and unintended method execution via non-standard HTTP m
MEDIUM CVE-2025-2999 torch 2.8.0 2.9.1 A vulnerability was found in PyTorch 2.6.0. It has been rated as criti ...
HIGH CVE-2026-32874 ujson 5.10.0 5.12.0 UltraJSON: UltraJSON: Denial of Service due to memory leak when parsing large integers
HIGH CVE-2026-32875 ujson 5.10.0 5.12.0 ultrajson: UltraJSON: Denial of Service via large indent parameter in JSON serialization
HIGH CVE-2026-44660 ujson 5.10.0 5.12.1 python-ujson: UltraJSON: Memory leak leading to Denial of Service
MEDIUM CVE-2026-54911 ujson 5.10.0 5.13.0 UltraJSON is a fast JSON encoder and decoder written in pure C with bi ...
HIGH CVE-2026-21441 urllib3 2.6.2 2.6.3 urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (st
HIGH CVE-2026-44431 urllib3 2.6.2 2.7.0 urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers
HIGH CVE-2026-44432 urllib3 2.6.2 2.7.0 urllib3: urllib3: Denial of Service due to excessive HTTP response decompression
MEDIUM CVE-2026-45409 idna 3.10 3.15 Internationalized Domain Names in Applications (IDNA) for Python provi ...
MEDIUM CVE-2026-28684 python-dotenv 1.1.0 1.2.2 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following
MEDIUM CVE-2024-47081 requests 2.32.3 2.32.4 requests: Requests vulnerable to .netrc credentials leak via malicious URLs
MEDIUM CVE-2026-25645 requests 2.32.3 2.33.0 requests: Requests: Security bypass due to predictable temporary file creation
HIGH CVE-2025-66418 urllib3 2.4.0 2.6.0 urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion
HIGH CVE-2025-66471 urllib3 2.4.0 2.6.0 urllib3: urllib3 Streaming API improperly handles highly compressed data
HIGH CVE-2026-21441 urllib3 2.4.0 2.6.3 urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (st
HIGH CVE-2026-44431 urllib3 2.4.0 2.7.0 urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers
MEDIUM CVE-2025-50181 urllib3 2.4.0 2.5.0 urllib3: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
MEDIUM CVE-2025-50182 urllib3 2.4.0 2.5.0 urllib3: urllib3 does not control redirects in browsers and Node.js
🔑 Secrets (0)
TypeFileLineMatch
✅ No secrets found
⚙️ Misconfigurations (2)
SeverityIDCheckFileMessage
HIGH DS002 Image user should not be 'root' Dockerfile Specify at least 1 USER command in Dockerfile with non-root user as argument
HIGH DS029 'apt-get' missing '--no-install-recommends' Dockerfile '--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y python3
📄 Raw JSON Report (click to expand)