GHSA-7mw3-79jq-xc7f: aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221)

May 6, 2026

aiograpi 0.6.6 / 0.7.0 / 0.7.1 declared orjson==3.11.6 (and later ==3.11.8) in requirements.txt but setup.py carried a hard-coded duplicate requirements = [...] list that was never updated and still pinned orjson==3.11.4.

When setuptools builds the source distribution it reads the metadata from setup.py, not from requirements.txt. So pip install aiograpi==0.6.6 (or 0.7.0 / 0.7.1) actually pulls orjson==3.11.4 — a version vulnerable to CVE-2025-67221 (stack overflow in orjson.dumps on deeply nested JSON inputs).

References

github.com/advisories/GHSA-7mw3-79jq-xc7f
github.com/ijl/orjson/security/advisories
github.com/subzeroid/aiograpi
github.com/subzeroid/aiograpi/blob/main/CHANGELOG.md
github.com/subzeroid/aiograpi/security/advisories/GHSA-7mw3-79jq-xc7f

Code Behaviors & Features

Detect and mitigate GHSA-7mw3-79jq-xc7f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →