NumPy is a widely used PyPI package. As of 2026-05-24, there are 16 known vulnerabilities in the OSV database. The latest stable version is 2.4.6. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (16)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2019-6446 | CRITICAL | 9.5 | >= 0 | N/A | Numpy Deserialization of Untrusted Data |
| CVE-2014-1859 | HIGH | 7.5 | 0 to 1.8.1 | 1.8.1 | Numpy arbitrary file write via symlink attack |
| CVE-2021-41495 | HIGH | 7.5 | 0 to 1.19 | 1.19 | NumPy NULL Pointer Dereference |
| CVE-2014-1858 | HIGH | 7.5 | 0 to 1.8.1 | 1.8.1 | Arbitrary file write in NumPy |
| CVE-2017-12852 | HIGH | 7.5 | 0 to 1.13.3 | 1.13.3 | Numpy missing input validation |
| CVE-2021-33430 | MODERATE | 5.0 | 1.9.0 to 1.21 | 1.21 | NumPy Buffer Overflow (Disputed) |
| CVE-2021-41496 | MODERATE | 5.0 | 0 to 1.19 | 1.19 | Buffer Copy without Checking Size of Input in NumPy |
| CVE-2021-34141 | MODERATE | 5.0 | 0 to 1.22 | 1.22 | Incorrect Comparison in NumPy |
| CVE-2017-12852 | UNKNOWN | - | 0 to 1.13.3 | 1.13.3 | The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack. |
| CVE-2014-1858 | UNKNOWN | - | 0 to 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15; 0 to 1.8.1 | 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 | __init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file. |
| CVE-2014-1859 | UNKNOWN | - | 0 to 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15; 0 to 1.8.1 | 0bb46c1448b0d3f5453d5182a17ea7ac5854ee15 | (1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink att |
| CVE-2019-6446 | UNKNOWN | - | 0 to 1.16.1 | 1.16.1 | ** DISPUTED ** An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object |
| CVE-2021-33430 | UNKNOWN | - | 1.9.0 to 1.10.0 | 1.10.0 | A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malic |
| CVE-2021-34141 | UNKNOWN | - | 1.9.0 to 1.10.0 | 1.10.0 | Incomplete string comparison in the numpy.core component in NumPy1.9.x, which allows attackers to fail the APIs via constructing specific string objects. |
| CVE-2021-41495 | UNKNOWN | - | 0 to 1.19.1 | 1.19.1 | Null Pointer Dereference vulnerability exists in numpy.sort in NumPy < and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks |
| CVE-2021-41496 | UNKNOWN | - | 0 to 1.19.0 | 1.19.0 | Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative valu |
Security Recommendations
- Pin NumPy to the latest stable version (2.4.6) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
pip-audit - Review your lock file (requirements.txt) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is NumPy safe to use?
NumPy is actively maintained and widely used. As of 2026-05-24, there are 16 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does NumPy have?
The OSV database currently lists 16 vulnerabilities for NumPy. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update NumPy to fix vulnerabilities?
Run pip install --upgrade numpy to get the newest version. Use pip-audit or safety check to scan for known vulnerabilities. Pin your dependencies with a requirements file and review updates regularly.
Using AI-Generated Code with NumPy?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses NumPy, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit