Skip to main content
Snyk Report

Python security insights

How secure is the Python ecosystem? Based on millions of scans performed by Snyk, this report analyzes the security of Python projects. Read this report to learn about common security issues and trends.

The security footprint of Python projects

47% of Python projects are vulnerable

An average Python project has around 35 dependencies. Out of these, 17 are direct dependencies and 18 are indirect dependencies.

In 47% of these projects, dependencies are introducing vulnerabilities. An average vulnerable project consists of 33 known vulnerabilities, out of which 10% are critical severity vulnerabilities, 26% are high severity, 26% medium severity, and 38% low severity.

The good news – you can eliminate 87% of known vulnerabilities by upgrading the vulnerable package!

Snyk’s automated fix PRs will help you automatically find, prioritize and fix vulnerabilities in your Python dependencies.

Vulnerabilities in projects by severity

Critical

10%

High

26%

Medium

26%

Low

38%

Common security issues in Python projects

OWASP top 10 found in the majority of Python projects

Snyk Code – Snyk’s Static Application Security Testing (SAST) solution – was trained using over 120K Python projects on GitHub. Over 60% of these projects were found to include issues on OWASP’s 2021 top 10 list with XSS (Cross Site Scripting) found in 20% of projects.

There are two issues specific to Python, though:

  • Unicode issues: Like most programming languages older than 10 years, Python has a history of issues related to handling encoding in strings.

  • Closing API calls: When interacting with external resources such as file or network streams, calling the close function signals the system to flush the content as well as to free any handles.

Snyk’s Python cheatsheet provides a list of typical issue types with concrete advice on how to tackle them.

Top 5 Python Issues Reported by Snyk Code

XXS

28%

TLS Cert Disabled

23%

Path Traversal

23%

Hardcoded Secret

14%

SQL Injection

12%

Commonly downloaded Python packages

Python packages are healthy!

What open source packages are Python developers using? How healthy are these projects? Are these packages secure? How are they included in projects? To answer these questions we looked at two key datasets – the 1000 most downloaded packages from PyPI and the 1000 most common packages used in the Python projects monitored by Snyk.

To examine PyPI package downloads, we used Snyk Advisor – a free, online, research tool that helps you decide which open source packages or container base images to use to build your Python project. Containing all projects from PyPI, Snyk Advisor calculates a health score based on packages’ popularity, security, maintenance, and community strength. For the 1000 most downloaded Python packages from PyPI, Snyk Advisor suggests an average high health score of 81%!

Package# of downloads*Health scoreLast release date**AgeLicenseContributorsDependencies
urllib3158,893,22898.50%Jun 25, 202112 yearsMIT2500
boto3134,136,17195.50%Jul 28, 20217 yearsApache-2.01106
six128,572,88886.93%May 5, 202111 yearsMIT600
botocore128,304,03297.00%Jul 27, 20219 yearsApache-2.01304
requests116,360,26297.00%Jul 13, 202110 yearsApache-2.04107
certifi113,424,29785.70%May 30, 202110 yearsMPL-2.0300
setuptools113,270,73395.64%Jul 19, 202115 yearsMIT3800
idna112,275,17083.60%May 29, 20218 yearsBSD-3-Clause200
chardet107,130,51988.43%Dec 10, 202015 yearsLGPL-2.1400
python-dateutil100,233,78894.14%Jul 14, 202113 yearsApache-2.0 OR BSD-2-Clause1101

* Average monthly downloads for the period of March 21 - June 21.

** At the time of writing.

*** In the latest version.

The most vulnerable packages in Python projects

#1 downloaded package on PyPi is vulnerable

With millions of downloads a week, urllib3 is the most downloaded Python package on PyPI. It is also the 3rd most used package in the projects monitored by Snyk.

While the latest version of the package is safe to use, previous versions include security vulnerabilities, including high and medium severity issues. Version 1.24.3, downloaded over 2 million times a week, includes a high severity CRLF injection vulnerability. Version 1.26.3, downloaded over 1.5 million times a week contains an Improper Certificate Validation vulnerability.

PackageUseVulnerabilitiesMinimum known vuln free versionWeekly downloads
urllib3HTTP clientCritical – 0, High – 3, Medium – 6, Low – 11.26.6 (latest)38M
pillowImaging libraryCritical – 1, High – 18, Medium – 7, Low –8.3.1 (latest)8.3M
PyYAMLYAML parser and emitterCritical – 4, High – 0, Medium – 0, Low – 05.421M
ipaddressIPv4/IPv6 manipulation libraryCritical – 0, High – 1, Medium – 2, Low – 01.5M
cryptographyCryptographic recipes and primitivesCritical – 0, High – 4, Medium – 3, Low – 011.2M
djangoHigh-level Python Web frameworkCritical – 0, High – 8, Medium – 15, Low – 53.1.131.6M
jinja2A fast and expressive template engineCritical – 0, High – 1, Medium – 4, Low – 52.11.317M
pygmentsA syntax highlighting packageCritical -1, High – 2, Medium – 0, Low – 02.7.46M
requestsHTTP clientCritical -1, High – 0, Medium – 5, Low – 02.20.037M
rsaRSA implementationCritical -0, High – 2, Medium – 3, Low – 04.716M

Vulnerabilities in Python containers

Most container vulnerabilities can be fixed using slimmer images

While it’s pretty easy to get a Python app running in a container, as with so much in life the “easy way” isn’t always the best way. Containers come with pre-installed Linux packages, which may or may not be important to making your app run but will impact your vulnerability reports.

Popular Python base images vary in size and the number of vulnerabilities they introduce. “Fat” images like :3.9, :3.8, and :3.7 are the most common, despite all the best practices stating you should use a slimmer base image to reduce attack surface. You can get both worlds in containers through the use of multi-stage builds, starting with the bigger images to simplify building and testing your code and then moving the required production packages to a slim image in the final stage.

A word about this report

Snyk performs millions of monthly scans of hundreds of thousands of Python projects, providing us with the ability to describe what an average Python project looks like and give you an idea of what you might find when you scan one of your Python projects. The data used for this report was taken from the Snyk Intel Vulnerability Database, hundreds of thousands of Python projects monitored by Snyk, the same number of projects used as a training set for Snyk Code, and Snyk Advisor.