instagrapi is vulnerable to Insertion of Sensitive Information into Log File
51
Medium Risk
The change_password branch of challenge_resolve_simple in instagrapi/mixins/challenge.py printed the freshly rotated account password to stdout via a print() call. When the change_password challenge flow runs and a change_password_handler returns a new password, that plaintext credential is written to stdout and any attached application logs. Anyone able to read that output (log files, journald, aggregated logging) can recover the account password. The fix removes the print() and logs only the password length and attempt metadata, with a regression test asserting the secret never reaches stdout or logs.
You are affected if you are using a version that falls within the vulnerable range and your application uses the change_password challenge flow via change_password_handler.
instagrapi is vulnerable to Insertion of Sensitive Information into Log File in versions 1.10.0 - 2.5.10.
Upgrade the instagrapi library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant