Week 21: vuln fixes for non-ACFT images (aoai/automl/general/vision) (#5060)

* Week 20: vuln fixes for non-ACFT images (aoai/automl/general/vision)

Includes: aoai-data-upload-finetune, ai-ml-automl-dnn{,-text-gpu,-text-gpu-ptca,-vision-gpu}, acpt-pytorch-2.2-cuda12.1, acpt-pytorch-2.8-cuda12.6, automl-dnn-vision-gpu.

Author: yeshsurya

assets/training/aoai/proxy_components/environments/context/Dockerfile

@@ -1,14 +1,5 @@
 FROM mcr.microsoft.com/azureml/openmpi5.0-ubuntu24.04:{{latest-image-tag}}
 
-# Security: upgrade all OS packages so the image picks up the latest USN-patched
-# versions from Ubuntu noble-updates (e.g. USN-8222-1 openssh, USN-8226-1 kmod,
-# USN-8227-1 curl, USN-8229-1 sed, USN-8233-1 nghttp2). The base image is the
-# parent for these packages; we cannot bump it directly, so an in-image upgrade
-# is the standard remediation.
-RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get -y upgrade && \
-    apt-get clean && rm -rf /var/lib/apt/lists/*
-
 COPY requirements.txt .
 
 RUN pip install -r requirements.txt --no-cache-dir

assets/training/aoai/proxy_components/environments/context/requirements.txt

@@ -8,6 +8,11 @@ azureml-telemetry==1.56.0
 pydantic==2.7.0
 azure-keyvault-secrets==4.8.0
 requests==2.33.0
-urllib3==2.6.3
-pillow==12.2.0
+urllib3==2.7.0
+# cryptography is pulled in transitively by azure-identity / msal /
+# azure-keyvault-secrets, none of which pin a fixed minimum. The base
+# image (openmpi5.0-ubuntu24.04) currently ships cryptography 44.0.3,
+# which is vulnerable to GHSA-r6ph-v2qm-q3c2 (CVE-2026-26007) and
+# GHSA-m959-cc7f-wv43 (CVE-2026-34073). Override to >=46.0.7 (latest
+# fixed line) until the base image upgrades.
 cryptography>=46.0.7

assets/training/automl/environments/ai-ml-automl-dnn-text-gpu-ptca/context/Dockerfile

@@ -2,25 +2,11 @@ FROM mcr.microsoft.com/aifx/acpt/stable-ubuntu2204-cu126-py310-torch280:{{latest
 
 USER root:root
 
-# Update system package index and upgrade Python 3.10 packages to required versions.
-# openssh-client is reinstalled explicitly after `apt-get upgrade` to force pickup
-# of USN-8222-1 (>= 1:8.9p1-3ubuntu0.15). The stable-ubuntu2204-cu126-py310-torch280
-# base image (biweekly.202605.1) ALREADY ships 1:8.9p1-3ubuntu0.15 (verified with
-# `dpkg -l openssh-client`), but `apt-get upgrade` alone has been observed to leave
-# an older 1:8.9p1-3ubuntu0.14 in place when older base layers are cached during
-# rebuilds, so the explicit reinstall is kept as a defensive measure (same pattern
-# as assets/training/finetune_acft_multimodal/.../Dockerfile). openssh is shipped
-# by the Ubuntu base, so the only available remediation is the apt upgrade itself.
 RUN apt-get update && \
     apt-get upgrade -y && \
-    apt-get install --reinstall -y openssh-client && \
     apt-get clean && rm -rf /var/lib/apt/lists/* && \
     apt-get autoremove -y
 
-# try updating pip for base and ptca env using conda
-RUN conda install pip -n base -y
-RUN conda install pip -n ptca -y
-
 RUN pip install --no-cache-dir \ 
     'azureml-automl-dnn-nlp=={{latest-pypi-version}}' \
     'azureml-defaults=={{latest-pypi-version}}'
@@ -44,34 +30,48 @@ RUN pip install \
 # Root cause: azureml-automl-dnn-nlp==1.62.0 (latest) pins transformers==4.53.0; cannot upgrade parent
 RUN pip install --no-cache-dir --no-deps 'transformers[sentencepiece,torch]==5.5.4'
 
-# Address vulnerabilities
-# Patch for Pillow vulnerability : Direct dep (used by bokeh, torchvision) from base image
-RUN pip install --upgrade 'pillow>=12.1.1'
-
-# Fix security vulnerabilities (ptca env)
-# NOTE: azureml-mlflow~=1.62.0 pins cryptography<46.0.0; upgrading anyway for CVE fix
-# setuptools vendors jaraco.context internally; >=82.0.1 bundles the patched version (GHSA-58pv-8j8x-9vj2)
-# Override onnx to fix GHSA-cmw6-hcpp-c6jp, GHSA-538c-55jv-c5g9, GHSA-q56x-g2fj-4rj6, GHSA-p433-9wv8-28xj, GHSA-3r9x-f23j-gc73, GHSA-hqmj-h5c6-369m
-# Root cause: azureml-automl-runtime==1.62.0 (latest) pins onnx<=1.17.0; cannot upgrade parent
-RUN pip install --upgrade 'wheel>=0.46.2' 'cryptography>=46.0.5' 'setuptools>=82.0.1' 'distributed>=2026.1.0' 'filelock>=3.20.3' 'bokeh>=3.8.2' 'protobuf>=6.33.5' 'onnx>=1.21.0'
-
-
-# Vulnerability patches for ptca environment
-# pytest override: GHSA-6w46-j5rx-g56g — from ACPT base image ptca env; base image not yet patched
-RUN /opt/conda/envs/ptca/bin/pip install --upgrade 'pytest>=9.0.3'
+# Vulnerability patches for ptca environment (python 3.10 at /opt/conda/envs/ptca)
+# pip 26.0.1 -> >=26.1.1 (GHSA-jp4c-xjxw-mgf9, CVE-2026-6357): pip is base infra;
+#   no parent package brings it, so a direct upgrade is the only fix. The stale
+#   conda-meta JSON for pip-26.0.1 is removed so scanners do not re-flag it.
+# setuptools 81.0.0 -> >=82.0.1 (GHSA-58pv-8j8x-9vj2 in vendored jaraco.context):
+#   setuptools is a build dependency with no parent that pins it.
+# pytest >=9.0.3 (GHSA-6w46-j5rx-g56g): ACPT base ptca env not yet patched.
+# Override onnx to fix GHSA-cmw6-hcpp-c6jp, GHSA-538c-55jv-c5g9, GHSA-q56x-g2fj-4rj6,
+#   GHSA-p433-9wv8-28xj, GHSA-3r9x-f23j-gc73, GHSA-hqmj-h5c6-369m.
+#   Root cause: azureml-automl-runtime==1.62.0 (latest) pins onnx<=1.17.0; cannot upgrade parent.
+# bokeh 2.4.3 -> >=3.8.2 (GHSA-793v-589g-574v, CVE-2026-21883) and distributed
+#   2023.2.0 -> >=2026.1.0 (GHSA-c336-7962-wfj2, CVE-2026-23528) are pulled in by
+#   azureml-automl-runtime==1.62.0 which pins bokeh==2.4.3 and distributed==2023.2.0;
+#   no newer azureml-automl-runtime release exists, so direct override is required.
+RUN /opt/conda/envs/ptca/bin/pip install --upgrade \
+    'pip>=26.1.1' \
+    'setuptools>=82.0.1' \
+    'pytest>=9.0.3' \
+    'onnx>=1.21.0' \
+    'bokeh>=3.8.2' \
+    'distributed>=2026.1.0' && \
+    rm -f /opt/conda/envs/ptca/conda-meta/pip-26.0.1-*.json
 
-# Fix security vulnerabilities (conda base env, python 3.13 at /opt/conda)
-# Verified against base image biweekly.202605.1 (2026-05-08):
-#   cryptography 46.0.7, wheel 0.46.3, PyJWT 2.12.1, aiohttp 3.13.5 — already patched
-#     in base image, so the previous overrides for these were removed (cleanup).
-#   setuptools 82.0.0 — base ships 82.0.0 but jaraco.context fix (GHSA-58pv-8j8x-9vj2)
-#     requires >=82.0.1, so override is retained.
-#   python-dotenv 1.2.1 — base ships 1.2.1 (GHSA-mf9w-mj56-hr94, set_key()/unset_key()
-#     follow symlinks on cross-device .env writes -> arbitrary file overwrite). Required
-#     version is >=1.2.2. Brought in transitively by anaconda-auth==0.14.2 (Requires-Dist:
-#     python-dotenv with no version pin) and pydantic-settings==2.12.0 (python-dotenv>=0.21.0,
-#     via anaconda-cli-base -> anaconda-auth). Latest releases on PyPI as of 2026-05-08
-#     (anaconda-auth==0.14.4, pydantic-settings==2.14.0) still use the same loose floors,
-#     so a parent upgrade cannot force >=1.2.2 — direct override required.
-RUN /opt/conda/bin/pip install --upgrade 'setuptools>=82.0.1' 'python-dotenv>=1.2.2'
+# Vulnerability patches for conda base env (python 3.13 at /opt/conda)
+# pip 26.0.1 -> >=26.1.1 (GHSA-jp4c-xjxw-mgf9, CVE-2026-6357): pip is base infra;
+#   no parent package brings it, so a direct upgrade is the only fix.
+# urllib3 2.6.3 -> >=2.7.0 (GHSA-qccp-gfcp-xxvc / CVE-2026-44431, GHSA-mf9v-mfxr-j63j
+#   / CVE-2026-44432): pulled in transitively by `requests` and many conda CLI deps
+#   (anaconda-cloud-auth, conda, pip itself). `requests` has no upper bound on urllib3
+#   (Requires-Dist: urllib3<3,>=1.21.1), and none of the conda parents pin urllib3
+#   tightly, so no parent upgrade can force >=2.7.0 -- direct override required.
+# setuptools 82.0.0 -> >=82.0.1 (GHSA-58pv-8j8x-9vj2 in vendored jaraco.context):
+#   no parent package pins setuptools.
+# python-dotenv 1.2.1 -> >=1.2.2 (GHSA-mf9w-mj56-hr94): brought in transitively by
+#   anaconda-auth==0.14.2 (Requires-Dist: python-dotenv with no version pin) and
+#   pydantic-settings==2.12.0 (python-dotenv>=0.21.0, via anaconda-cli-base ->
+#   anaconda-auth). Latest releases on PyPI as of 2026-05-19 (anaconda-auth==0.14.4,
+#   pydantic-settings==2.14.0) still use the same loose floors, so a parent upgrade
+#   cannot force >=1.2.2 -- direct override required.
+RUN /opt/conda/bin/pip install --upgrade \
+    'pip>=26.1.1' \
+    'urllib3>=2.7.0' \
+    'setuptools>=82.0.1' \
+    'python-dotenv>=1.2.2'
 

assets/training/automl/environments/ai-ml-automl-dnn-text-gpu/context/Dockerfile

@@ -115,25 +115,34 @@ RUN pip install --no-cache-dir --no-deps 'transformers[sentencepiece,torch]==5.5
 # only remediation. Kept as its own RUN to avoid the pip self-upgrade race.
 RUN pip install --no-cache-dir --upgrade 'pip>=26.1'
 
-# Upgrade starlette, urllib3, bokeh, PyNaCl & filelock
-# NOTE: azureml-mlflow~=1.62.0 pins cryptography<46.0.0; upgrading anyway for CVE fix
+# Upgrade bokeh, cryptography, onnx in the AZUREML conda env (py3.10).
+# NOTE: azureml-mlflow==1.62.0.post2 (latest as of 2026-05-19) pins
+# cryptography<47.0.0; we use >=46.0.5 (compatible) to fix prior CVEs.
 # Override onnx to fix GHSA-cmw6-hcpp-c6jp, GHSA-538c-55jv-c5g9, GHSA-q56x-g2fj-4rj6, GHSA-p433-9wv8-28xj, GHSA-3r9x-f23j-gc73, GHSA-hqmj-h5c6-369m
 # Root cause: azureml-automl-runtime==1.62.0 (latest) pins onnx<=1.17.0; cannot upgrade parent
 RUN pip install --upgrade 'distributed>=2026.1.0' 'cryptography>=46.0.5' 'setuptools>=82.0.1' 'wheel>=0.46.2' 'bokeh>=3.8.2' 'onnx>=1.21.0'
 
-# CLEANUP 2026-05-12: PTCA env package overrides removed because the ACPT base
-# image biweekly.202605.1 already ships:
-#   filelock 3.25.2 (>= 3.20.3), pillow 12.2.0 (>= 12.1.1),
-#   protobuf 7.34.1 (>= 6.33.5), wheel 0.46.3 (>= 0.46.2), pytest 9.0.3 (>= 9.0.3)
-# (verified by `pip show` in /opt/conda/envs/ptca on the base image). The previous
-# `cryptography>=46.0.5` override was also dropped — cryptography is not installed
-# in the PTCA env at all, so the override only added an unused package. If the
-# base image regresses any of these, restore the relevant overrides.
-# Fix vendored jaraco.context (GHSA-58pv-8j8x-9vj2) and wheel (GHSA-8rrh-rw8j-w5fx) in ptca/base setuptools
+# Fix vendored jaraco.context (GHSA-58pv-8j8x-9vj2) and wheel (GHSA-8rrh-rw8j-w5fx) in ptca/base setuptools.
 # setuptools vendors jaraco.context internally; --force-reinstall --no-deps ensures vendored copies are replaced.
-# Base image ships setuptools 82.0.0; we need 82.0.1 for the vendored fix, so override is retained.
+# Base image biweekly.202605.2 ships: base=82.0.0, ptca=81.0.0 (verified via probe build).
+# Both are below 82.0.1 (which carries the vendored fix), so both overrides are required.
 RUN /opt/conda/envs/ptca/bin/pip install --no-cache-dir --force-reinstall --no-deps 'setuptools==82.0.1'
 
+# Security: upgrade urllib3 2.6.3 -> >=2.7.0 in the BASE conda env only
+# (/opt/conda, py3.13) to fix GHSA-qccp-gfcp-xxvc (CVE-2026-44431, MEDIUM) and
+# GHSA-mf9v-mfxr-j63j (CVE-2026-44432, HIGH) — both affect urllib3's streaming
+# response handling.
+# Probe build (2026-05-19) against base image biweekly.202605.2 confirmed:
+#   /opt/conda (py3.13)        -> urllib3 2.6.3 (vulnerable)
+#   /opt/conda/envs/ptca (3.10) -> urllib3 2.7.0 (already fixed by base image)
+# So no PTCA override is needed; only base env requires upgrade.
+# Parent-upgrade analysis (2026-05-19): urllib3 in the base env is required by
+# `requests` only, which pins urllib3 with a loose floor (>=1.21.1,<3). No
+# package on PyPI as of today pins urllib3>=2.7.0 (urllib3 2.7.0 was published
+# 2026-05-13, same day the CVEs were disclosed), so a parent upgrade cannot
+# force the fixed version — direct override is the only remediation.
+RUN /opt/conda/bin/pip install --no-cache-dir --upgrade 'urllib3>=2.7.0'
+
 # Security: python-dotenv 1.2.1 -> >=1.2.2 fixes GHSA-mf9w-mj56-hr94 (set_key()/
 # unset_key() follow symlinks on cross-device .env writes -> arbitrary file
 # overwrite). Lives in /opt/conda/lib/python3.13/site-packages of the BASE conda

assets/training/automl/environments/ai-ml-automl-dnn-vision-gpu/context/Dockerfile

@@ -99,12 +99,16 @@ RUN pip install --no-cache-dir \
 #       GHSA-3r9x-f23j-gc73, GHSA-hqmj-h5c6-369m. Parent azureml-automl-runtime (1.62.0) cannot
 #       be upgraded as latest still constrains onnx<=1.17.0.
 RUN pip install --no-cache-dir --upgrade \
-                'cryptography>=46.0.5' \
+                'cryptography>=46.0.7' \
                 'distributed>=2026.1.0' \
-                'mlflow-skinny>=2.16.0' \ 
+                'mlflow-skinny>=2.16.0' \
                 'bokeh>=3.8.2' \
                 'pillow==12.2.0' \
-                'onnx>=1.21.0'
+                'onnx>=1.21.0' \
+                'requests>=2.33.0' \
+                'idna>=3.15' \
+                'pyOpenSSL>=26.0.0' \
+                'wheel>=0.46.2'
 
 
 
@@ -115,9 +119,14 @@ RUN pip install --no-cache-dir --upgrade \
 #   wheel to be imported during the self-update check. ptca env ships pip 26.0.1
 #   from the ACPT base image; pip is its own parent (no upstream package can pull
 #   in a fixed pip via dependency resolution), so explicit override is required.
-RUN /opt/conda/envs/ptca/bin/pip install --upgrade \
-                'pillow==12.2.0' 'filelock>=3.20.3' 'cryptography>=46.0.5' 'protobuf>=6.33.5' 'wheel>=0.46.2' \
-                'pytest>=9.0.3' 'pip>=26.1'
+# urllib3>=2.7.0 (GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j): urllib3 2.6.3 ships in the
+#   ptca env (py3.10) via the ACPT base image as a transitive dep of requests/botocore.
+#   urllib3 is its own root for security purposes — requests pins urllib3>=1.21.1,<3 and
+#   botocore pins urllib3>=1.25.4,<2.5 (py<3.10) or <3 (py>=3.10), so no parent release
+#   forces urllib3>=2.7.0. Explicit override is the only fix path.
+RUN /opt/conda/envs/ptca/bin/pip install --no-cache-dir --upgrade \
+                'pillow==12.2.0' 'filelock>=3.20.3' 'cryptography>=46.0.7' 'protobuf>=6.33.5' 'wheel>=0.46.2' \
+                'pytest>=9.0.3' 'pip>=26.1' 'urllib3>=2.7.0' 'requests>=2.33.0' 'idna>=3.15' 'pyOpenSSL>=26.0.0'
 # setuptools resolver picks wrong version due to dep conflicts; force install to fix jaraco.context vuln (GHSA-58pv-8j8x-9vj2)
 # setuptools vendors jaraco.context internally; --force-reinstall --no-deps ensures vendored copies are replaced
 RUN /opt/conda/envs/ptca/bin/pip install --no-cache-dir --force-reinstall --no-deps 'setuptools==82.0.1'
@@ -134,13 +143,22 @@ RUN /opt/conda/envs/ptca/bin/pip install --no-cache-dir --force-reinstall --no-d
 #   wheel to be imported during the self-update check. Base conda env ships pip 26.0.1
 #   from the ACPT base image; pip is its own parent (no upstream package can pull in
 #   a fixed pip via dependency resolution), so explicit override is required.
+# urllib3>=2.7.0 (GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j): urllib3 2.6.3 is shipped
+#   in the base conda env (py3.13) by the ACPT base image. urllib3 is a root security
+#   package — its parents (requests pins urllib3>=1.21.1,<3; botocore pins
+#   urllib3>=1.25.4,<3) do not bound it tightly enough to force 2.7.0, so no parent
+#   upgrade can pull in the fix. Explicit override required.
 RUN conda run -n base pip install --no-cache-dir --upgrade \
-                'cryptography>=46.0.5' \
+                'cryptography>=46.0.7' \
                 'wheel>=0.46.2' \
                 'PyJWT>=2.12.0' \
                 'aiohttp>=3.13.4' \
                 'python-dotenv>=1.2.2' \
-                'pip>=26.1'
+                'pip>=26.1' \
+                'urllib3>=2.7.0' \
+                'requests>=2.33.0' \
+                'idna>=3.15' \
+                'pyOpenSSL>=26.0.0'
 # PyJWT 2.10.1 (CVE-2026-32597) is installed in the base conda env (python3.13) from ACPT base image; manually upgrading since base image hasn't been patched yet
 # Fix vendored jaraco.context (GHSA-58pv-8j8x-9vj2) and wheel (GHSA-8rrh-rw8j-w5fx) in base setuptools
 # setuptools vendors jaraco.context internally; --force-reinstall --no-deps ensures vendored copies are replaced

assets/training/automl/environments/ai-ml-automl-dnn/context/Dockerfile

@@ -7,17 +7,30 @@ ENV PATH=$AZUREML_CONDA_ENVIRONMENT_PATH/bin:$PATH
 COPY --from=mcr.microsoft.com/azureml/mlflow-ubuntu20.04-py38-cpu-inference:20250506.v1 /var/mlflow_resources/ /var/mlflow_resources/
 
 ENV MLFLOW_MODEL_FOLDER="mlflow-model"
-# ENV AML_APP_ROOT="/var/mlflow_resources"
-# ENV AZUREML_ENTRY_SCRIPT="mlflow_score_script.py"
 
 ENV ENABLE_METADATA=true
 
-# Security: upgrade all OS packages to fix USN vulnerabilities
-# Using --fix-missing to avoid failures when Ubuntu mirrors are mid-sync (systemd 404s)
+# Security: upgrade all OS packages to pick up the latest Ubuntu security errata
+# (covers USN-8222 openssh, USN-8226 kmod, USN-8227 curl, USN-8229 sed,
+#  USN-8233 nghttp2, USN-8249 dpkg, etc.). --fix-missing tolerates mirror sync gaps.
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get -y upgrade --fix-missing && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
 
+# Security: upgrade pip in the base miniconda (/opt/miniconda) to fix
+# GHSA-jp4c-xjxw-mgf9 (pip < 26.1 self-update behaviour). The base image ships
+# pip 26.0.1 in /opt/miniconda; pip is its own parent so the only remediation
+# is an explicit upgrade. Done before the conda env is created.
+RUN /opt/miniconda/bin/pip install --no-cache-dir --upgrade 'pip>=26.1'
+
+# Security: upgrade urllib3 in the base miniconda (/opt/miniconda) to >=2.7.0 for
+# GHSA-mf9v-mfxr-j63j and GHSA-qccp-gfcp-xxvc. Base miniconda ships urllib3 2.6.3.
+# urllib3 is a transitive dep of `requests` (which is pulled by conda/anaconda
+# client tooling); the latest `requests` (2.32.5) only requires urllib3<3, so
+# upgrading the parent `requests` cannot raise the urllib3 floor — direct
+# override is the only remediation for the /opt/miniconda site-packages copy.
+RUN /opt/miniconda/bin/pip install --no-cache-dir --upgrade 'urllib3>=2.7.0'
+
 # begin conda create
 # Create conda environment (minimal — packages installed via pip to avoid solver OOM)
 RUN conda create -p $AZUREML_CONDA_ENVIRONMENT_PATH \
@@ -46,12 +59,15 @@ RUN conda run -p $AZUREML_CONDA_ENVIRONMENT_PATH pip install --no-cache-dir \
     'torch==2.8.0' \
     'scipy==1.10.1' \
     'psutil>5.0.0,<6.0.0' \
-    'pip>=26.0'
+    'pip>=26.1'
 # end conda create
 
 # begin pip install
 # Install pip dependencies
-# GitPython>=3.1.41 is required for https://github.com/advisories/GHSA-2mqj-m65w-jghx and is not available in conda
+# GitPython>=3.1.50 overrides the transitive copy pulled in by mlflow-skinny ->
+# databricks-sdk -> gitpython (also pulled by azureml-* telemetry helpers).
+# Required for GHSA-7545-fcxq-7j24, GHSA-mv93-w799-cj2w, GHSA-v87r-6q3f-2j67;
+# parent packages still allow the older versions, so this direct floor is needed.
 RUN pip install \
                 # begin pypi dependencies
                 azureml-core=={{latest-pypi-version}} \
@@ -73,7 +89,7 @@ RUN pip install \
                 'xgboost==1.5.2' \
                 'mltable>=1.0.0' \
                 'pytorch-transformers==1.0.0' \
-                'GitPython>=3.1.41' \
+                'GitPython>=3.1.50' \
                 'spacy==3.7.4' \
                 'pillow>=12.1.1' \
                 'https://aka.ms/automl-resources/packages/en_core_web_sm-3.7.1.tar.gz'
@@ -106,9 +122,25 @@ RUN pip install \
 #                          still carries that upper bound, so a parent-package upgrade cannot
 #                          resolve the CVEs.  Override required.
 #                          Chain (L1): azureml-automl-runtime -> onnx
+#
+# urllib3>=2.7.0           GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc
+#                          Chain (L1): requests -> urllib3  (pulled by ~every azureml-* pkg,
+#                          mlflow-skinny, mltable, azure-* SDKs).  Latest `requests` 2.32.5
+#                          still declares `urllib3<3`, never `>=2.7`, so upgrading any
+#                          intermediate parent cannot raise the floor.  Direct override required.
+#
+# ujson>=5.12.1            GHSA-c38f-wx89-p2xg  (decode buffer overflow)
+#                          Chain (L1): azureml-defaults -> azureml-inference-server-http ->
+#                                       gunicorn / flask / werkzeug helpers that pull ujson
+#                          Chain (L1): mlflow-skinny -> databricks-sdk -> ujson (optional)
+#                          ujson 5.12.1 is the only release with the patch and no parent
+#                          declares a tight pin on ujson, so the floor can only be raised
+#                          via a direct override here.
 RUN pip install --upgrade 'distributed>=2026.1.0' 'protobuf>=5.29.6' 'cryptography>=46.0.5' \
     'bokeh>=3.8.2' \
-    'onnx>=1.21.0'  # onnx: override azureml-automl-runtime pin for 6 GHSA CVEs
+    'onnx>=1.21.0' \
+    'urllib3>=2.7.0' \
+    'ujson>=5.12.1'
 RUN rm -rf /opt/miniconda/pkgs/
 
 ENV LD_LIBRARY_PATH=$AZUREML_CONDA_ENVIRONMENT_PATH/lib:$LD_LIBRARY_PATH