detections/_docs/05_security/dependency_scan.md

# Dependency Scan

**Date**: 2026-03-31
**Tool**: Manual review + WebSearch (pip-audit not installed)
**Files scanned**: `requirements.txt`, `requirements-macos.txt`, `requirements-gpu.txt`, `e2e/requirements.txt`

## Findings

### CVE-2026-28356 — python-multipart ReDoS (HIGH, CVSS 7.5)

- **Package**: python-multipart (unpinned in `requirements.txt`)
- **Vulnerability**: `parse_options_header()` uses a regex with ambiguous alternation causing exponential backtracking on malicious HTTP/multipart headers
- **Impact**: Denial of service against the FastAPI application
- **Fixed in**: 1.2.2, 1.3.1, 1.4.0-dev
- **Remediation**: Pin `python-multipart>=1.3.1`

### CVE-2025-43859 — h11 HTTP Request Smuggling via uvicorn (CRITICAL, CVSS 9.1)

- **Package**: uvicorn (unpinned in `requirements.txt`) → transitive dependency h11-0.14.0
- **Vulnerability**: Lenient parsing of line terminators in chunked-coding message bodies enables HTTP request smuggling
- **Impact**: Bypass security controls, cache poisoning, session hijacking, data leakage
- **Fixed in**: h11 update required; check for h11>=0.15.0
- **Remediation**: Pin `h11>=0.15.0` or verify uvicorn version pulls a patched h11

### Unpinned Dependencies — Supply Chain Risk (MEDIUM)

- **Packages**: `fastapi`, `uvicorn[standard]`, `python-multipart` in `requirements.txt`; `pytest`, `sseclient-py`, `flask`, `gunicorn` in `e2e/requirements.txt`
- **Risk**: Unpinned packages may resolve to different (potentially vulnerable) versions across environments. A compromised PyPI upload could be silently pulled in.
- **Remediation**: Pin all dependencies to specific versions

### opencv-python — Outdated (LOW)

- **Package**: opencv-python==4.10.0.84
- **Vulnerability**: No known CVEs for 4.10.0.84, but latest is 4.13.0.92
- **Remediation**: Consider upgrading to 4.13.0.92 when convenient

## Summary

| Severity | Count |
|----------|-------|
| Critical | 1     |
| High     | 1     |
| Medium   | 1     |
| Low      | 1     |

## No Known Vulnerabilities

- requests==2.32.4 (patched version)
- numpy==2.3.0
- onnxruntime==1.22.0
- loguru==0.7.3
- av==14.2.0
- xxhash==3.5.0
- Cython==3.2.4
- pynvml==12.0.0
- coremltools==9.0