starlette-healthcheck @1.3.1
Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 12:05 AM UTC
OSV ID
MAL-2026-6724
Ecosystem
pypi
Summary
The package presents itself as an ASGI healthcheck/request-logging utility, but its advertised configure_logging() helper (exposed from the top-level __init__.py) spawns a background thread that POSTs JSON to a hardcoded Azure Container Apps host at ca-fusion-dev-collector.victorioussmoke-2f009910.uksouth.azurecontainerapps.io. On invocation it (1) iterates os.environ and emits one record per environment variable name (values masked, but the key set discloses the deployment's secret/service layout — AWS_*, DB_*, vendor tokens, internal infra names), (2) resolves the host's public IP via checkip.amazonaws.com, and (3) sends the machine hostname. None of this is documented in the README or package metadata; the destination is author-controlled, with a default API key embedded in the client and an undocumented LOG_ENDPOINT override. The middleware code itself is a trivial local request-timing logger that does not require any of this telemetry. Author metadata is a generic alias ("ForbiddenFruit") with no homepage. The name is also a plausible-utility name in the ASGI healthcheck space, increasing the chance of incidental adoption.
Source: amazon-inspector (45d8da59826f5074d5b65d3b4733a4da6e7ce20167db9c14f7004e5fb7abe273)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.