gitsafehub
github.com/microsoft/promptflow ↗

microsoft/promptflow

scanned 2026-06-30 · git 3928a72
1 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies103Known OSS vulnerabilitiesRisky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy 103 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2025-1793 llama-index: LlamaIndex SQL Injection Vulnerability
    examples/tutorials/generate-test-data/requirements.txt
    A package you depend on has a known security hole (CVE-2025-1793). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69223). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-52304 aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2024-52304). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69227 aiohttp: aiohttp: Denial of Service via specially crafted POST request
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69227). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69228 aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST request
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69228). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handling
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69229). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22815 aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handling
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-22815). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34515 aiohttp: AIOHTTP: Information disclosure via static resource handler on Windows
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-34515). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34516 aiohttp: AIOHTTP: Denial of Service via excessive multipart headers
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-34516). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34525 aiohttp: aiohttp: Security bypass via multiple Host headers
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-34525). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34993 aiohttp: AIOHTTP: Arbitrary code execution via untrusted input to CookieJar.load()
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-34993). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-47265 python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirects
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-47265). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54273 aiohttp: AIOHTTP: Denial of Service via excessive pipelined requests
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-54273). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54274 aiohttp: aiohttp: Denial of Service via incomplete websocket frame payloads
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-54274). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54276 aiohttp: aiohttp: Information disclosure via DigestAuthMiddleware after cross-origin redirect
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-54276). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54277 aiohttp: aiohttp: Denial of Service via oversized HTTP request lines bypassing max_line_size check
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-54277). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-54278 aiohttp: aiohttp: Denial of Service due to excessive memory consumption from compressed request body
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-54278). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-24986 Azure PromptFlow remote code execution related to Jinja templates
    benchmark/promptflow-serve/pf_flows/flex_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-24986). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69223 aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
    benchmark/promptflow-serve/pf_flows/static_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69223). Fix: Update that package to its patched version.
  • Worth fixing CVE-2024-52304 aiohttp: aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions
    benchmark/promptflow-serve/pf_flows/static_async/requirements.txt
    A package you depend on has a known security hole (CVE-2024-52304). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69227 aiohttp: aiohttp: Denial of Service via specially crafted POST request
    benchmark/promptflow-serve/pf_flows/static_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69227). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69228 aiohttp: aiohttp: Denial of Service via memory exhaustion from crafted POST request
    benchmark/promptflow-serve/pf_flows/static_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69228). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-69229 aiohttp: AIOHTTP: Denial of Service via excessive CPU usage in chunked message handling
    benchmark/promptflow-serve/pf_flows/static_async/requirements.txt
    A package you depend on has a known security hole (CVE-2025-69229). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22815 aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handling
    benchmark/promptflow-serve/pf_flows/static_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-22815). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34515 aiohttp: AIOHTTP: Information disclosure via static resource handler on Windows
    benchmark/promptflow-serve/pf_flows/static_async/requirements.txt
    A package you depend on has a known security hole (CVE-2026-34515). Fix: Update that package to its patched version.
… 78 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner timed out

Your dependencies cross-checked against the OSV vulnerability database.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OSV-Scanner v1.9.2 · Apache-2.0

error: timeout after 60s

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.