azaion/detections
1
0
Fork 0
mirror of https://github.com/azaion/detections.git synced 2026-04-22 21:46:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e90ec69131e1c3601717873fba8f5e9358181387
detections/_docs/05_security/dependency_scan.md
T
Oleksandr Bezdieniezhnykh be4cab4fcb [AZ-178] Implement streaming video detection endpoint 
- Added `/detect/video` endpoint for true streaming video detection, allowing inference to start as upload bytes arrive.
- Introduced `run_detect_video_stream` method in the inference module to handle video processing from a file-like object.
- Updated media hashing to include a new function for computing hashes directly from files with minimal I/O.
- Enhanced documentation to reflect changes in video processing and API behavior.

Made-with: Cursor
2026-04-01 03:11:43 +03:00

2.2 KiB
Raw Blame History

Dependency Scan

Date: 2026-03-31 Tool: Manual review + WebSearch (pip-audit not installed) Files scanned: requirements.txt, requirements-macos.txt, requirements-gpu.txt, e2e/requirements.txt

Findings

CVE-2026-28356 — python-multipart ReDoS (HIGH, CVSS 7.5)

  • Package: python-multipart (unpinned in requirements.txt)
  • Vulnerability: parse_options_header() uses a regex with ambiguous alternation causing exponential backtracking on malicious HTTP/multipart headers
  • Impact: Denial of service against the FastAPI application
  • Fixed in: 1.2.2, 1.3.1, 1.4.0-dev
  • Remediation: Pin python-multipart>=1.3.1

CVE-2025-43859 — h11 HTTP Request Smuggling via uvicorn (CRITICAL, CVSS 9.1)

  • Package: uvicorn (unpinned in requirements.txt) → transitive dependency h11-0.14.0
  • Vulnerability: Lenient parsing of line terminators in chunked-coding message bodies enables HTTP request smuggling
  • Impact: Bypass security controls, cache poisoning, session hijacking, data leakage
  • Fixed in: h11 update required; check for h11>=0.15.0
  • Remediation: Pin h11>=0.15.0 or verify uvicorn version pulls a patched h11

Unpinned Dependencies — Supply Chain Risk (MEDIUM)

  • Packages: fastapi, uvicorn[standard], python-multipart in requirements.txt; pytest, sseclient-py, flask, gunicorn in e2e/requirements.txt
  • Risk: Unpinned packages may resolve to different (potentially vulnerable) versions across environments. A compromised PyPI upload could be silently pulled in.
  • Remediation: Pin all dependencies to specific versions

opencv-python — Outdated (LOW)

  • Package: opencv-python==4.10.0.84
  • Vulnerability: No known CVEs for 4.10.0.84, but latest is 4.13.0.92
  • Remediation: Consider upgrading to 4.13.0.92 when convenient

Summary

Severity Count
Critical 1
High 1
Medium 1
Low 1

No Known Vulnerabilities

  • requests==2.32.4 (patched version)
  • numpy==2.3.0
  • onnxruntime==1.22.0
  • loguru==0.7.3
  • av==14.2.0
  • xxhash==3.5.0
  • Cython==3.2.4
  • pynvml==12.0.0
  • coremltools==9.0
Reference in New Issue View Git Blame Copy Permalink