Skip to content

Updated constraints due security reasons (triggered on 2026-04-27T14:20:13+00:00 by 9e4811270b5b5e727e088a839c9a4a928c488230)#265

Merged
jmfernandez merged 1 commit into
mainfrom
create-pull-request/patch-audit-constraints
Apr 27, 2026
Merged

Updated constraints due security reasons (triggered on 2026-04-27T14:20:13+00:00 by 9e4811270b5b5e727e088a839c9a4a928c488230)#265
jmfernandez merged 1 commit into
mainfrom
create-pull-request/patch-audit-constraints

Conversation

@github-actions

@github-actions github-actions Bot commented Apr 20, 2026

Copy link
Copy Markdown
Contributor

Fixed dependency issues for Python 3.10

Name Version ID Fix Versions Description
lxml 6.0.2 CVE-2026-41066 6.1.0 ### Impact Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. ### Patches lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default. ### Workarounds Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. ### Resources Original report: https://bugs.launchpad.net/lxml/+bug/2146291 The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Fixed dependency issues for Python 3.11

Name Version ID Fix Versions Description
lxml 6.0.2 CVE-2026-41066 6.1.0 ### Impact Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. ### Patches lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default. ### Workarounds Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. ### Resources Original report: https://bugs.launchpad.net/lxml/+bug/2146291 The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Fixed dependency issues for Python 3.12

Name Version ID Fix Versions Description
lxml 6.0.2 CVE-2026-41066 6.1.0 ### Impact Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. ### Patches lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default. ### Workarounds Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. ### Resources Original report: https://bugs.launchpad.net/lxml/+bug/2146291 The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Fixed dependency issues for Python 3.13

Name Version ID Fix Versions Description
lxml 6.0.2 CVE-2026-41066 6.1.0 ### Impact Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. ### Patches lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default. ### Workarounds Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. ### Resources Original report: https://bugs.launchpad.net/lxml/+bug/2146291 The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.

Dependency issues not solved for Python 3.7

Name Version ID Fix Versions Description
aiohttp 3.8.6 PYSEC-2024-24 3.9.2 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
aiohttp 3.8.6 PYSEC-2023-250 3.9.0 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
aiohttp 3.8.6 PYSEC-2023-251 3.9.0 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
aiohttp 3.8.6 PYSEC-2024-26 3.9.2 aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.
aiohttp 3.8.6 GHSA-p998-jp59-783m 3.13.4 ### Summary On Windows the static resource handler may expose information about a NTLMv2 remote path. ### Impact If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there. ----- Patch: aio-libs/aiohttp@0ae2aa0
aiohttp 3.8.6 GHSA-hcc4-c3v8-rx92 3.13.4 ### Summary An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. ### Impact If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory. ----- Patch: aio-libs/aiohttp@c4d77c3
aiohttp 3.8.6 GHSA-m5qp-6w8w-w647 3.13.4 ### Summary A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. ### Impact Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability. ----- Patch: aio-libs/aiohttp@8a74257
aiohttp 3.8.6 GHSA-3wq7-rqq7-wx6j 3.13.4 ### Summary For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. ### Impact If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected. ----- Patch: aio-libs/aiohttp@cbb774f
aiohttp 3.8.6 GHSA-mwh4-6h8g-pg8w 3.13.4 ### Summary An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. ### Impact In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended. ----- Patch: aio-libs/aiohttp@53b35a2
aiohttp 3.8.6 GHSA-966j-vmvw-g2g9 3.13.4 ### Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. ### Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect. ----- Patch: aio-libs/aiohttp@5351c98
aiohttp 3.8.6 GHSA-7gpw-8wmc-pm8g 3.9.4 ### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using web.static(..., show_index=True), the resulting index pages do not escape file names. If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks. ### Workaround We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable show_index if unable to upgrade. ----- Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
aiohttp 3.8.6 GHSA-63hf-3vf5-4wqf 3.13.4 ### Summary The C parser (the default for most installs) accepted null bytes and control characters is response headers. ### Impact An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass. ----- Patch: aio-libs/aiohttp@9370b97
aiohttp 3.8.6 GHSA-5m98-qgg9-wh84 3.9.4 ### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. ### Impact An attacker can stop the application from serving requests after sending a single request. ------- For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()): diff diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py index 227be605c..71fc2654a 100644 --- a/aiohttp/multipart.py +++ b/aiohttp/multipart.py @@ -338,6 +338,8 @@ class BodyPartReader: assert self._length is not None, "Content-Length required for chunked read" chunk_size = min(size, self._length - self._read_bytes) chunk = await self._content.read(chunk_size) + if self._content.at_eof(): + self._at_eof = True return chunk async def _read_chunk_from_stream(self, size: int) -> bytes: This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in: aio-libs/aiohttp@cebe526 aio-libs/aiohttp@7eecdff aio-libs/aiohttp@f21c6f2
aiohttp 3.8.6 GHSA-c427-h43c-vf67 3.13.4 ### Summary Multiple Host headers were allowed in aiohttp. ### Impact Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain(). ----- Patch: aio-libs/aiohttp@e00ca3c Patch: aio-libs/aiohttp@53e2e6f
aiohttp 3.8.6 GHSA-8495-4g3g-x7pr 3.10.11 ### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ----- Patch: aio-libs/aiohttp@259edc3
aiohttp 3.8.6 GHSA-9548-qrrj-x5pj 3.12.14 ### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ---- Patch: aio-libs/aiohttp@e8d774f
aiohttp 3.8.6 GHSA-6mq8-rvhq-8wgg 3.13.3 ### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: aio-libs/aiohttp@2b920c3
aiohttp 3.8.6 GHSA-69f9-5gxw-wvc2 3.13.3 ### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ------ Patch: aio-libs/aiohttp@32677f2
aiohttp 3.8.6 GHSA-6jhg-hg63-jvvf 3.13.3 ### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. ### Impact If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. ----- Patch: aio-libs/aiohttp@b7dbd35
aiohttp 3.8.6 GHSA-g84x-mcqj-x9qq 3.13.3 ### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. ----- Patch: aio-libs/aiohttp@dc3170b Patch: aio-libs/aiohttp@4ed97a4
aiohttp 3.8.6 GHSA-fh55-r93g-j68g 3.13.3 ### Summary Reading multiple invalid cookies can lead to a logging storm. ### Impact If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. ---- Patch: aio-libs/aiohttp@64629a0
aiohttp 3.8.6 GHSA-54jq-c3m8-4m76 3.13.3 ### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. ### Impact If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. ------ Patch: aio-libs/aiohttp@f2a86fd
aiohttp 3.8.6 GHSA-jj3x-wxrx-4x23 3.13.3 ### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. ------ Patch: aio-libs/aiohttp@bc1319e
aiohttp 3.8.6 GHSA-mqqc-3gqh-h2x8 3.13.3 ### Summary The parser allows non-ASCII decimals to be present in the Range header. ### Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. ---- Patch: aio-libs/aiohttp@c7b7a04
aiohttp 3.8.6 GHSA-w2fm-2cpv-w7v5 3.13.4 ### Summary Insufficient restrictions in header/trailer handling could cause uncapped memory usage. ### Impact An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration. ----- Patch: aio-libs/aiohttp@0c2e9da
aiohttp 3.8.6 GHSA-2vrm-gr82-f7m5 3.13.4 ### Summary An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. ### Impact If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended. ----- Patch: aio-libs/aiohttp@9a6ada9
cryptography 45.0.7 GHSA-r6ph-v2qm-q3c2 46.0.5 ## Vulnerability Summary The public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. ## Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine
cryptography 45.0.7 GHSA-m959-cc7f-wv43 46.0.6 ## Summary In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead. In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity. See CVE-2025-61727 for a similar bypass in Go's crypto/x509. ## Remediation Users should upgrade to 46.0.6 or newer. ## Attribution Reporter: @1seal
cryptography 45.0.7 GHSA-p423-j2cm-9vmq 46.0.7 If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. For example: python h = Hash(SHA256()) b.update(buf[::-1]) would read past the end of the buffer on Python >3.11
filelock 3.12.2 GHSA-w853-jp5j-5j7f 3.20.1 ### Impact A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. Who is impacted: All users of filelock on Unix, Linux, macOS, and Windows systems. The vulnerability cascades to dependent libraries: - virtualenv users: Configuration files can be overwritten with virtualenv metadata, leaking sensitive paths - PyTorch users: CPU ISA cache or model checkpoints can be corrupted, causing crashes or ML pipeline failures - poetry/tox users: through using virtualenv or filelock on their own. Attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable. ### Patches Fixed in version 3.20.1. Unix/Linux/macOS fix: Added O_NOFOLLOW flag to os.open() in UnixFileLock._acquire() to prevent symlink following. Windows fix: Added GetFileAttributesW API check to detect reparse points (symlinks/junctions) before opening files in WindowsFileLock._acquire(). Users should upgrade to filelock 3.20.1 or later immediately. ### Workarounds If immediate upgrade is not possible: 1. Use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases) 2. Ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks 3. Monitor lock file directories for suspicious symlinks before running trusted applications Warning: These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended. ______________________________________________________________________ ## Technical Details: How the Exploit Works ### The Vulnerable Code Pattern Unix/Linux/macOS (src/filelock/_unix.py:39-44): ```python def _acquire(self) -> None: ensure_directory_exists(self.lock_file) open_flags = os.O_RDWR
filelock 3.12.2 GHSA-qmgc-5h2g-mvrw 3.20.3 ## Vulnerability Summary Title: Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock Affected Component: filelock package - SoftFileLock class File: src/filelock/_soft.py lines 17-27 CWE: CWE-362, CWE-367, CWE-59 --- ## Description A TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. ### Attack Scenario 1. Lock attempts to acquire on /tmp/app.lock 2. Permission validation passes 3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock 4. os.open() tries to create lock file 5. Lock operates on attacker-controlled target file or fails --- ## Impact What kind of vulnerability is it? Who is impacted? This is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability affecting any application using SoftFileLock for inter-process synchronization. Affected Users: - Applications using filelock.SoftFileLock directly - Applications using the fallback FileLock on systems without fcntl support (e.g., GraalPy) Consequences: - Silent lock acquisition failure - applications may not detect that exclusive resource access is not guaranteed - Denial of Service - attacker can prevent lock file creation by maintaining symlink - Resource serialization failures - multiple processes may acquire "locks" simultaneously - Unintended file operations - lock could operate on attacker-controlled files CVSS v4.0 Score: 5.6 (Medium) Vector: CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N Attack Requirements: - Local filesystem access to the directory containing lock files - Permission to create symlinks (standard for regular unprivileged users on Unix/Linux) - Ability to time the symlink creation during the narrow race window --- ## Patches Has the problem been patched? What versions should users upgrade to? Yes, the vulnerability has been patched by adding the O_NOFOLLOW flag to prevent symlink following during lock file creation. Patched Version: Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0) Mitigation Details: - The O_NOFOLLOW flag is added conditionally and gracefully degrades on platforms without support - On platforms with O_NOFOLLOW support (most modern systems): symlink attacks are completely prevented - On platforms without O_NOFOLLOW (e.g., GraalPy): TOCTOU window remains but is documented Users should: - Upgrade to the patched version when available - For critical deployments, consider using UnixFileLock or WindowsFileLock instead of the fallback SoftFileLock --- ## Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? For users unable to update immediately: 1. Avoid SoftFileLock in security-sensitive contexts - use UnixFileLock or WindowsFileLock when available (these were already patched for CVE-2025-68146) 2. Restrict filesystem permissions - prevent untrusted users from creating symlinks in lock file directories: bash chmod 700 /path/to/lock/directory 3. Use process isolation - isolate untrusted code from lock file paths to prevent symlink creation 4. Monitor lock operations - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations --- ## References Are there any links users can visit to find out more? - Similar Vulnerability: CVE-2025-68146 (TOCTOU vulnerability in UnixFileLock/WindowsFileLock) - CWE-362 (Concurrent Execution using Shared Resource): https://cwe.mitre.org/data/definitions/362.html - CWE-367 (Time-of-check Time-of-use Race Condition): https://cwe.mitre.org/data/definitions/367.html - CWE-59 (Improper Link Resolution Before File Access): https://cwe.mitre.org/data/definitions/59.html - O_NOFOLLOW documentation: https://man7.org/linux/man-pages/man2/open.2.html - GitHub Repository: https://github.com/tox-dev/filelock --- Reported by: George Tsigourakos (@tsigouris007)
lxml 5.4.0 GHSA-vfmq-68hx-4jfw 6.1.0 ### Impact Using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. ### Patches lxml 6.1.0 changes the default to resolve_entities='internal', thus disallowing local file access by default. ### Workarounds Setting the resolve_entities option explicitly to resolve_entities='internal' or resolve_entities=False disables the local file access. ### Resources Original report: https://bugs.launchpad.net/lxml/+bug/2146291 The default option was changed to resolve_entities='internal' for the normal XML and HTML parsers in lxml 5.0. The default was not changed for iterparse() and ETCompatXMLParser() at the time. lxml 6.1 makes the safe option the default for all parsers.
protobuf 4.24.4 GHSA-8qvm-5x2c-j2w7 4.25.8,5.29.5,6.31.1 ### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default. This is a Python variant of a previous issue affecting protobuf-java. ### Severity This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker. ### Proof of Concept For reproduction details, please refer to the unit tests decoder_test.py and message_test ### Remediation and Mitigation A mitigation is available now. Please update to the latest available versions of the following packages: * protobuf-python(4.25.8, 5.29.5, 6.31.1)
protobuf 4.24.4 GHSA-7gcm-g887-7qv7 5.29.6,6.33.5 A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
pyasn1 0.5.1 GHSA-jr27-m4p2-rc6r 0.6.3 ### Summary The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application. ### Details The vulnerability exists because the decoder iterates through the input stream and recursively calls decodeFun (the decoding callback) for every nested component found, without tracking or limiting the recursion depth. Vulnerable Code Locations: 1. indefLenValueDecoder (Line 998): for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options): This method handles indefinite-length constructed types. It sits inside a while True loop and recursively calls the decoder for every nested tag. 2. valueDecoder (Lines 786 and 907): for component in decodeFun(substrate, componentType, **options): This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of SEQUENCE or SET types. Line 907: Recursively decodes elements of SEQUENCE OF or SET OF types. 4. _decodeComponentsSchemaless (Line 661): for component in decodeFun(substrate, **options): This method handles decoding when no schema is provided. In all three cases, decodeFun is invoked without passing a depth parameter or checking against a global MAX_ASN1_NESTING limit. ### PoC import sys from pyasn1.codec.ber import decoder sys.setrecursionlimit(100000) print("[*] Generating Recursion Bomb Payload...") depth = 50_000 chunk = b'\x30\x80' payload = chunk * depth print(f"[*] Payload size: {len(payload) / 1024:.2f} KB") print("[*] Triggering Decoder...") try: decoder.decode(payload) except RecursionError: print("[!] Crashed: Recursion Limit Hit") except MemoryError: print("[!] Crashed: Out of Memory") except Exception as e: print(f"[!] Crashed: {e}") [*] Payload size: 9.77 KB [*] Triggering Decoder... [!] Crashed: Recursion Limit Hit ### Impact - This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion. - Service Crash: Any service using pyasn1 to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely. - Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack. ### Credits Vulnerability discovered by Kevin Tu of TMIR at ByteDance.
pygments 2.17.2 GHSA-5239-wwwm-4pmq 2.20.0 A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
pynacl 1.5.0 GHSA-mrfv-m5wm-5w6w 1.6.2 libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This advisoory lists packages in the GitHub Advisory Database's supported ecosystems that are affected by this vulnerability due to a vulnerable dependency.
requests 2.31.0 GHSA-9wx4-h78v-vm56 2.32.0 When using a requests.Session, if the first request to a given origin is made with verify=False, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if verify=True is explicitly specified later. This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity. This behavior affects versions of requests prior to 2.32.0.
requests 2.31.0 GHSA-9hjg-9r4m-mvj7 2.32.4 ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs). ### References psf/requests#6965 https://seclists.org/fulldisclosure/2025/Jun/2
requests 2.31.0 GHSA-gc5v-m9x4-r6x2 2.33.0 ### Impact The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ### Affected usages Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted. ### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.
urllib3 1.26.20 GHSA-pq67-6m6q-mj2v 2.5.0 urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows: python resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False) print(resp.status) # 302 However, it is also possible to disable redirects, for all requests, by instantiating a PoolManager and specifying retries in a way that disable redirects: python import urllib3 http = urllib3.PoolManager(retries=0) # should raise MaxRetryError on redirect http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0)) # equivalent to the above http = urllib3.PoolManager(retries=False) # should return the first response resp = http.request("GET", "https://httpbin.org/redirect/1") However, the retries parameter is currently ignored, which means all the above examples don't disable redirects. ## Affected usages Passing retries on PoolManager instantiation to disable redirects or restrict their number. By default, requests and botocore users are not affected. ## Impact Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. ## Remediation You can remediate this vulnerability with the following steps: * Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact sethmichaellarson@gmail.com to discuss sponsorship or contribution opportunities. * Disable redirects at the request() level instead of the PoolManager() level.
urllib3 1.26.20 GHSA-gm62-xv2j-4w53 2.6.0 ## Impact urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, zstd). However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. ## Affected usages Applications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly. ## Remediation Upgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5. If upgrading is not immediately possible, use preload_content=False and ensure that resp.headers["content-encoding"] contains a safe number of encodings before reading the response content.
urllib3 1.26.20 GHSA-2xpw-w6gg-jr37 2.6.0 ### Impact urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data. ### Affected usages Applications and libraries using urllib3 version 2.5.0 and earlier to stream large compressed responses or content from untrusted sources. stream(), read(amt=256), read1(amt=256), read_chunked(amt=256), readinto(b) are examples of urllib3.HTTPResponse method calls using the affected logic unless decoding is disabled explicitly. ### Remediation Upgrade to at least urllib3 v2.6.0 in which the library avoids decompressing data that exceeds the requested amount. If your environment contains a package facilitating the Brotli encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 too. These versions are enforced by the urllib3[brotli] extra in the patched versions of urllib3. ### Credits The issue was reported by @Cycloctane. Supplemental information was provided by @stamparm during a security audit performed by 7ASecurity and facilitated by OSTIF.
urllib3 1.26.20 GHSA-38jv-5279-wg99 2.6.3 ### Impact urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. However, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client (high CPU usage and large memory allocations for decompressed data; CWE-409). ### Affected usages Applications and libraries using urllib3 version 2.6.2 and earlier to stream content from untrusted sources by setting preload_content=False when they do not disable redirects. ### Remediation Upgrade to at least urllib3 v2.6.3 in which the library does not decode content of redirect responses when preload_content=False. If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted source.
zipp 3.15.0 GHSA-jfmj-5v4g-7637 3.19.1 A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

Dependency issues not solved for Python 3.8

Name Version ID Fix Versions Description
aiohttp 3.10.11 GHSA-p998-jp59-783m 3.13.4 ### Summary On Windows the static resource handler may expose information about a NTLMv2 remote path. ### Impact If an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there. ----- Patch: aio-libs/aiohttp@0ae2aa0
aiohttp 3.10.11 GHSA-hcc4-c3v8-rx92 3.13.4 ### Summary An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. ### Impact If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory. ----- Patch: aio-libs/aiohttp@c4d77c3
aiohttp 3.10.11 GHSA-m5qp-6w8w-w647 3.13.4 ### Summary A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. ### Impact Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability. ----- Patch: aio-libs/aiohttp@8a74257
aiohttp 3.10.11 GHSA-3wq7-rqq7-wx6j 3.13.4 ### Summary For some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. ### Impact If an application uses Request.post() an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected. ----- Patch: aio-libs/aiohttp@cbb774f
aiohttp 3.10.11 GHSA-mwh4-6h8g-pg8w 3.13.4 ### Summary An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. ### Impact In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended. ----- Patch: aio-libs/aiohttp@53b35a2
aiohttp 3.10.11 GHSA-966j-vmvw-g2g9 3.13.4 ### Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. ### Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect. ----- Patch: aio-libs/aiohttp@5351c98
aiohttp 3.10.11 GHSA-63hf-3vf5-4wqf 3.13.4 ### Summary The C parser (the default for most installs) accepted null bytes and control characters is response headers. ### Impact An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass. ----- Patch: aio-libs/aiohttp@9370b97
aiohttp 3.10.11 GHSA-c427-h43c-vf67 3.13.4 ### Summary Multiple Host headers were allowed in aiohttp. ### Impact Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using Application.add_domain(). ----- Patch: aio-libs/aiohttp@e00ca3c Patch: aio-libs/aiohttp@53e2e6f
aiohttp 3.10.11 GHSA-9548-qrrj-x5pj 3.12.14 ### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ---- Patch: aio-libs/aiohttp@e8d774f
aiohttp 3.10.11 GHSA-6mq8-rvhq-8wgg 3.13.3 ### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: aio-libs/aiohttp@2b920c3
aiohttp 3.10.11 GHSA-69f9-5gxw-wvc2 3.13.3 ### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ------ Patch: aio-libs/aiohttp@32677f2
aiohttp 3.10.11 GHSA-6jhg-hg63-jvvf 3.13.3 ### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. ### Impact If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. ----- Patch: aio-libs/aiohttp@b7dbd35
aiohttp 3.10.11 GHSA-g84x-mcqj-x9qq 3.13.3 ### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. ----- Patch: aio-libs/aiohttp@dc3170b Patch: aio-libs/aiohttp@4ed97a4
aiohttp 3.10.11 GHSA-fh55-r93g-j68g 3.13.3 ### Summary Reading multiple invalid cookies can lead to a logging storm. ### Impact If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. ---- Patch: aio-libs/aiohttp@64629a0
aiohttp 3.10.11 GHSA-54jq-c3m8-4m76 3.13.3 ### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. ### Impact If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. ------ Patch: aio-libs/aiohttp@f2a86fd
aiohttp 3.10.11 GHSA-jj3x-wxrx-4x23 3.13.3 ### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. ------ Patch: aio-libs/aiohttp@bc1319e
aiohttp 3.10.11 GHSA-mqqc-3gqh-h2x8 3.13.3 ### Summary The parser allows non-ASCII decimals to be present in the Range header. ### Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. ---- Patch: aio-libs/aiohttp@c7b7a04
aiohttp 3.10.11 GHSA-w2fm-2cpv-w7v5 3.13.4 ### Summary Insufficient restrictions in header/trailer handling could cause uncapped memory usage. ### Impact An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration. ----- Patch: aio-libs/aiohttp@0c2e9da
aiohttp 3.10.11 GHSA-2vrm-gr82-f7m5 3.13.4 ### Summary An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. ### Impact If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended. ----- Patch: aio-libs/aiohttp@9a6ada9
filelock 3.16.1 GHSA-w853-jp5j-5j7f 3.20.1 ### Impact A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. Who is impacted: All users of filelock on Unix, Linux, macOS, and Windows systems. The vulnerability cascades to dependent libraries: - virtualenv users: Configuration files can be overwritten with virtualenv metadata, leaking sensitive paths - PyTorch users: CPU ISA cache or model checkpoints can be corrupted, causing crashes or ML pipeline failures - poetry/tox users: through using virtualenv or filelock on their own. Attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable. ### Patches Fixed in version 3.20.1. Unix/Linux/macOS fix: Added O_NOFOLLOW flag to os.open() in UnixFileLock._acquire() to prevent symlink following. Windows fix: Added GetFileAttributesW API check to detect reparse points (symlinks/junctions) before opening files in WindowsFileLock._acquire(). Users should upgrade to filelock 3.20.1 or later immediately. ### Workarounds If immediate upgrade is not possible: 1. Use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases) 2. Ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks 3. Monitor lock file directories for suspicious symlinks before running trusted applications Warning: These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended. ______________________________________________________________________ ## Technical Details: How the Exploit Works ### The Vulnerable Code Pattern Unix/Linux/macOS (src/filelock/_unix.py:39-44): ```python def _acquire(self) -> None: ensure_directory_exists(self.lock_file) open_flags = os.O_RDWR

@github-actions github-actions Bot changed the title Updated constraints due security reasons (triggered on 2026-04-20T12:37:18+00:00 by 2f535dc00701725bf07a2e3ee298d84010eb3386) Updated constraints due security reasons (triggered on 2026-04-27T14:20:13+00:00 by 9e4811270b5b5e727e088a839c9a4a928c488230) Apr 27, 2026
@github-actions github-actions Bot force-pushed the create-pull-request/patch-audit-constraints branch from e4f5839 to c7c249b Compare April 27, 2026 14:20
@jmfernandez jmfernandez merged commit b2464bf into main Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant