Celery

registryPyPI

package namecelery

maintainerCelery Contributors

Celery is the most widely used distributed task queue for Python, used to offload work from web application processes to background workers. It connects to a message broker (typically Redis or RabbitMQ) and a result backend, and is used in production Django and Flask applications for email sending, image processing, and API integrations.

api usage

Checking Celery

celery 5.4.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=celery&version=5.4.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "celery",
  "version": "5.4.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Task queue packages process serialized task payloads from a message broker. A backdoored version can deserialize and exfiltrate task arguments (which often contain user data, API tokens, or session credentials) before executing the task function.

Attestd monitors celery using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

pypi_yank

Versions yanked on PyPI with a security-related yanked_reason annotation. Confidence 0.80.

Supply chain overview All PyPI packages Apache Airflow Django Flask redis CVE coverage Response fields