All Celery CVEs — Complete Vulnerability History
Celery is Python's distributed task queue. CVEs here affect task result handling and authentication. Keep it updated especially if your Celery broker or backend is accessible from untrusted networks.
PyPI
10M+ weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-23727 | 2021 | HIGH | Privilege escalation via task result backend | Fixed 5.2.2 |
| CVE-2021-27928 | 2021 | MEDIUM | Unsafe deserialization via Pickle backend | Fixed 5.0.5 |
Current safe version: 5.3.6
# Before
"celery==5.2.7"
# After
"celery==5.3.6"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is using Pickle as the Celery result backend safe?
No — Pickle allows arbitrary Python object deserialisation and should never be used with untrusted task results. Use JSON as the task serialiser: task_serializer='json', result_serializer='json', accept_content=['json'].
Does Celery expose a network endpoint?
Celery workers connect to a broker (RabbitMQ, Redis) and listen for tasks. The broker should never be exposed to untrusted networks. Access control on your broker is as important as keeping Celery updated.