numpy
Version: 2.3.5The fundamental package for scientific computing with Python.
What is "numpy"?
The fundamental package for scientific computing with Python.
How to use this package
Quick install
Installs the package into the current environment for this session. Use --build or --runtime to persist it as a build-time or runtime dependency.
min add numpyDeclare as a task dependency in minimal.toml
Listing the package under tasks.<name>.packages makes it available inside that task’s sandbox.
[tasks.dev]
packages = ["numpy"]Build-time vs runtime
Choose build-time for tools needed during compilation, runtime for dynamic libraries loaded at runtime.
min add --build numpy
min add --runtime numpyDependencies (6)
Dependency changes
Loading diff…
Could not load the dependency diff for one of the selected versions. Try again.
No dependency changes
The two selected versions have identical direct dependencies.
| Name | Version | Kind |
|---|
No dependants
No other packages in the registry depend on this one.
-
- Lines: +1 Deps: 6Released:
- Lines: +2 / -2 Deps: 6Released:
- Lines: -2 Deps: 6Released:
- Lines: -1 Deps: 6Released:
- Lines: +3 Deps: 6Released:
- Lines: +1 / -1 Deps: 6Released:
- Lines: +5 Deps: 6Released:
- Lines: +1 / -1 Deps: 6Released:
- Lines: +51 Deps: 6 ( +6 )Released:
-
Showing 15 advisories, 13 of which are transitive via numpy's dependencies
No advisories match the current filters.
| Critical ( 1 ) | ||||||
| Status | IDs | Package | Severity | |||
|---|---|---|---|---|---|---|
| Under investigation | glibc | Critical: 9.8 | ||||
SummaryCalling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. Affected ranges2.42 – 2.43 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||||||
| High ( 6 ) | ||||||
| Status | IDs | Package | Severity | |||
| Under investigation | python | High | ||||
Summarybz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Under investigation | python | High: 7.5 | ||||
Summary`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. ViaAffected ranges3.13.7 – 3.14.5 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | ||||||
| Under investigation | python | High: 7.5 | ||||
SummaryIf `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different than other operating systems. Only Windows is affected by this vulnerability. ViaAffected ranges3.13.7 – 3.14.5 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | ||||||
| Under investigation | glibc | High: 7.5 | ||||
SummaryCalling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. Affected ranges2.42 – 2.43 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | ||||||
| Under investigation | glibc | High: 7.5 | ||||
SummaryThe iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. Affected ranges2.42 – 2.43 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | ||||||
| Under investigation | glibc | High: 7.5 | ||||
SummaryCalling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. Affected ranges2.42 – 2.43 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | ||||||
| Medium ( 8 ) | ||||||
| Status | IDs | Package | Severity | |||
| Under investigation | python | Medium | ||||
SummaryTo allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build time and used to locate certain landmarks - specifically, Modules/setup.local. When this landmark is found relative to VPATH relative to the executable, Python assumes it is running in a source tree and generates a different default sys.path. This code remains in release builds, so that release-ready builds can be built in-tree. On Windows, since builds are written to 'PCbuild/', the value of VPATH is set to '..\..', which results in a landmark of '..\..\Modules\setup.local'. This path is outside the install directory of Python, and may have different permissions, potentially allowing a low-privilege user to create the landmark and an alternative `Lib` folder that will be discovered by an otherwise restricted install. Such a setup occurs with the legacy default install location for all users (in the now superseded EXE installer), due to how Windows allows all users to create folders in the root directory of their OS drive. Our recommended mitigation on Windows is to migrate away from the legacy installer and use the new [Python install manager](https://www.python.org/downloads/latest/pymanager/) to install for the current user. Installs where the directory two levels above the Python installation directory have equivalent permissions are unaffected (in general, a per-user install cannot be modified at all by other users, removing any escalation of privilege risk, and could be directly modified by a privileged user, making the potential tampering irrelevant). Alternative mitigations might include preemptively creating and restricting access to a `Modules` directory. Be aware that only 3.13 and 3.14 will receive updated legacy installers - earlier fixes are only provided as sources. Platforms other than Windows allow VPATH to be overridden, but as they don't usually use a separated directory in the build for binaries, are unlikely to have a landmark reference outside of the install directory. The landmark detection involving VPATH is a fallback for when a more specific landmark - .\pybuilddir.txt - is absent, and was included for compatibility. Future releases of Python will no longer include the fallback, and so builds will need to generate or preserve the pybuilddir.txt file in order to work in-tree. This landmark file has been generated on Windows since 3.11, and on other platforms for longer. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Under investigation | python | Medium | ||||
Summarytarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Under investigation | python | Medium | ||||
Summaryunicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Under investigation | python | Medium | ||||
SummaryThe ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. ViaAffected ranges3.13.7 – 3.14.5 | ||||||
| Under investigation | python | Medium: 6.1 | ||||
Summaryhttp.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. ViaAffected ranges3.13.7 – 3.14.5 CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||||||
| Under investigation | glibc | Medium: 5.4 | ||||
SummaryCalling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. Affected ranges2.42 – 2.43 CVSS vectorCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | ||||||
| Resolved in 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 | numpy | Medium: 5.5 | ||||
Summary(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file. Affected ranges0bb46c1448b0d3f5453d5182a17ea7ac5854ee15, fixed in 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 Fixed in0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 CVSS vectorCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | ||||||
| Resolved in 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 | numpy | Medium: 5.5 | ||||
Summary__init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file. Affected ranges0bb46c1448b0d3f5453d5182a17ea7ac5854ee15, fixed in 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 Fixed in0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 CVSS vectorCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | ||||||
| Low ( 0 ) | ||||||
| Status | IDs | Package | Severity | |||
| Unknown ( 0 ) | ||||||
| Status | IDs | Package | Severity | |||
54 components
No components match your filter.
| Packages | Version |
|---|---|
| numpy ROOT | 2.3.5 |
| acl | 2.3.2 |
| attr | 2.5.2 |
| bash | 5.3 |
| bash-bootstrap | 5.3 |
| binutils | 2.46.1 |
| bison | 3.8.2 |
| bzip2 | 1.0.8 |
| coreutils | 9.11 |
| cython | 3.2.1 |
| diffutils | 3.12 |
| expat | 2.7.5 |
| file | 5.47 |
| findutils | 4.10.0 |
| flex | 2.6.4 |
| flit-core | 3.12.0 |
| gawk | 5.4.0 |
| gawk-bootstrap | 5.3.2 |
| gcc | 15.2.0 |
| gdbm | 1.26 |
| glibc | 2.43 |
| gmp | 6.3.0 |
| grep | 3.12 |
| gzip | 1.14 |
| libcap | 2.78 |
| libffi | 3.5.2 |
| linux_headers | 6.12.43 |
| lz4 | 1.10.0 |
| m4 | 1.4.21 |
| make | 4.4.1 |
| meson | 1.10.1 |
| meson-python | 0.18.0 |
| mpc | 1.4.0 |
| mpfr | 4.2.2 |
| ncurses | 6.5-20250830 |
| ninja | 1.13.2 |
| openblas | 0.3.31 |
| openssl | 3.6.3 |
| pcre2 | 10.47 |
| perl | 5.42.0 |
| pkgconf | 2.5.1 |
| py-packaging | 25.0 |
| pyproject-hooks | 1.2.0 |
| pyproject-metadata | 0.9.1 |
| python | 3.14.5 |
| readline | 8.3 |
| sed | 4.9 |
| setuptools | 82.0.1 |
| sqlite | 3.50.4 |
| tar | 1.35 |
| util-linux | 2.42.1 |
| xz | 5.8.3 |
| zlib | 1.3.2 |
| zstd | 1.5.7 |