# Security CVE Research: Python Dependencies (Late 2025 – March 2026) Research date: March 14, 2026. Covers CVEs and security issues for packages used in the GPS-denied solution (solution_draft05). --- ## 1. Summary Table | Package | Current Version | CVE ID | Severity | Mitigation | Source | |---------|-----------------|--------|----------|------------|--------| | **FastAPI** | ≥0.135.0 | None (core) | — | No action for core FastAPI | — | | **FastAPI Api Key** | — | CVE-2026-23996 | Medium | Update to ≥1.1.0 or avoid | [GitLab Advisory](https://advisories.gitlab.com/pkg/pypi/fastapi-api-key/CVE-2026-23996) | | **uvicorn** | — | CVE-2025-43859 (h11) | Critical 9.1 | Pin h11 ≥0.16.0 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-43859) | | **ONNX Runtime** | — | AIKIDO-2026-10185 | Medium | Upgrade to ≥1.24.1 | [Intel Aikido](https://intel.aikido.dev/cve/AIKIDO-2026-10185) | | **ONNX** | — | CVE-2025-51480 | High 8.8 | Patch in ONNX 1.17+ | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-51480) | | **aiohttp** | — | CVE-2025-69223, 69227, 69228, 69229, 69230, 69226, CVE-2025-53643 | High/Medium | Update to ≥3.13.3 | [oss-sec](https://seclists.org/oss-sec/2026/q1/24) | | **python-jose** | 3.5.0 | CVE-2024-29370, 33663, 33664; unfixed 2026 issues | Medium | **Replace with PyJWT** | [OpenCVE](https://app.opencve.io/cve/?vendor=python-jose_project) | | **PyTorch** | ≥2.10.0 | CVE-2026-24747 (fixed in 2.10.0) | High 8.8 | Already mitigated | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-24747) | | **Pillow** | ≥11.3.0 | CVE-2026-25990 | High 7.5 | **Upgrade to ≥12.1.1** | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-25990) | | **GTSAM** | 4.2 | None found | — | Monitor | — | | **numpy** | — | AIKIDO-2025-10325 (2.2.x) | Low | Upgrade to ≥2.2.6 if on 2.2.x | [Intel Aikido](https://intel.aikido.dev/cve/AIKIDO-2025-10325) | | **safetensors** | — | Metadata RCE (under review) | TBD | Monitor; avoid unsafe metadata parsing | [huggingface_hub #3863](https://github.com/huggingface/huggingface_hub/issues/3863) | --- ## 2. Detailed Findings by Package ### 2.1 FastAPI (≥0.135.0) **Core FastAPI**: No CVEs affecting the main FastAPI package in 2025–2026. **Related packages** (if used): - **CVE-2026-23996** (FastAPI Api Key): Timing side-channel in `verify_key()`; update to ≥1.1.0. - **CVE-2026-2978** (FastApiAdmin): Unrestricted file upload; update to ≥2.2.1. - **CVE-2025-68481** (fastapi-users): OAuth CSRF; update to ≥15.0.2. **Recommendation**: No change for core FastAPI. If using FastAPI Api Key, FastApiAdmin, or fastapi-users, upgrade those packages. --- ### 2.2 uvicorn **CVE-2025-43859** (transitive via h11): - **Severity**: Critical (CVSS 9.1) - **Cause**: h11 <0.16.0 lenient parsing of chunked-encoding line terminators → HTTP request smuggling - **Impact**: Security bypass, cache poisoning, session hijacking, data leakage - **Fix**: Pin `h11>=0.16.0`. Uvicorn PR #2621 bumps h11 (merged May 2025). **Recommendation**: Pin `h11>=0.16.0` in requirements. Use a uvicorn release that depends on h11 ≥0.16.0. **Sources**: [NVD CVE-2025-43859](https://nvd.nist.gov/vuln/detail/CVE-2025-43859), [Uvicorn PR #2621](https://github.com/encode/uvicorn/pull/2621) --- ### 2.3 ONNX Runtime **AIKIDO-2026-10185** (path traversal in model loading): - **Affected**: ONNX Runtime 1.21.0–1.24.0 - **Issue**: External data references in TensorProto can use absolute paths or `../` traversal - **Impact**: Load unintended files, data disclosure, unexpected behavior - **Fix**: Upgrade to ONNX Runtime ≥1.24.1 **CVE-2025-51480** (ONNX library `save_external_data`): - **Affected**: ONNX 1.17.0 - **Issue**: Path traversal in `save_external_data` → arbitrary file overwrite - **Fix**: ONNX patches in PR #7040; use patched ONNX. **Recommendation**: Use ONNX Runtime ≥1.24.1. Ensure ONNX dependency is patched for CVE-2025-51480. **Sources**: [Intel Aikido AIKIDO-2026-10185](https://intel.aikido.dev/cve/AIKIDO-2026-10185), [NVD CVE-2025-51480](https://nvd.nist.gov/vuln/detail/CVE-2025-51480) --- ### 2.4 aiohttp **Multiple CVEs fixed in 3.13.3** (released Jan 5, 2026): | CVE | Severity | Issue | |-----|----------|-------| | CVE-2025-69223 | High | Zip bomb DoS via compressed request | | CVE-2025-69228 | High | Large payload DoS (e.g. `Request.post()`) | | CVE-2025-69227 | High | DoS via bypassed asserts when `PYTHONOPTIMIZE=1` | | CVE-2025-69229 | Medium | Chunked message DoS (CPU exhaustion) | | CVE-2025-69230 | Low | Cookie parser warning storm | | CVE-2025-69226 | Low | Static file path brute-force | | CVE-2025-53643 | — | HTTP request smuggling (fixed in 3.12.14) | **Recommendation**: Upgrade to aiohttp ≥3.13.3. **Sources**: [oss-sec 2026/Q1](https://seclists.org/oss-sec/2026/q1/24), [aiohttp GHSA-6mq8-rvhq-8wgg](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg) --- ### 2.5 python-jose (JWT) **Maintenance**: Effectively unmaintained; minimal activity for ~2 years. Current version 3.5.0. **Known CVEs**: - CVE-2024-29370: DoS via malicious JWE (5.3 Medium) - CVE-2024-33663: Algorithm confusion with OpenSSH ECDSA keys (6.5 Medium) - CVE-2024-33664: JWT bomb via compressed JWE (5.3 Medium) - CVE-2025-61152: `alg=none` (disputed by maintainers) **Unfixed 2026 issues** (per GitHub #398): - DER key algorithm confusion - Missing algorithm whitelisting - Timing side-channels **Recommendation**: **Replace with PyJWT**. Okta and others have migrated away from python-jose. PyJWT is actively maintained and has stronger security defaults. **Sources**: [OpenCVE python-jose](https://app.opencve.io/cve/?vendor=python-jose_project), [Okta migration issue](https://github.com/okta/okta-jwt-verifier-python/issues/54), [python-jose #398](https://github.com/mpdavis/python-jose/issues/398) --- ### 2.6 PyTorch (≥2.10.0) **CVE-2026-24747** (fixed in 2.10.0): - **Severity**: High (CVSS 8.8) - **Issue**: `weights_only` unpickler memory corruption via crafted `.pth` checkpoints - **Impact**: RCE when loading malicious checkpoint with `torch.load(..., weights_only=True)` - **Fix**: PyTorch ≥2.10.0 **CVE-2025-32434** (fixed in 2.6.0): - **Severity**: Critical (CVSS 9.8) - **Issue**: RCE via `torch.load(..., weights_only=True)` despite documentation - **Fix**: PyTorch ≥2.6.0 **Recommendation**: Keep PyTorch ≥2.10.0. No new CVEs found after 2.10.0. Continue using `weights_only=True` and SHA256 checksums for weights. --- ### 2.7 Pillow (≥11.3.0) **CVE-2026-25990** (PSD out-of-bounds write): - **Affected**: 10.3.0 through before 12.1.1 - **Severity**: High (CVSS 7.5) - **Issue**: Out-of-bounds write when loading crafted PSD images - **Impact**: Memory corruption, possible RCE, crashes - **Fix**: Upgrade to Pillow ≥12.1.1 **CVE-2025-48379** (DDS buffer overflow, fixed in 11.3.0): - Already mitigated by Pillow ≥11.3.0. **Recommendation**: **Upgrade to Pillow ≥12.1.1** to address CVE-2026-25990. **Sources**: [NVD CVE-2026-25990](https://nvd.nist.gov/vuln/detail/CVE-2026-25990), [GitLab Advisory](https://advisories.gitlab.com/pkg/pypi/pillow/CVE-2026-25990/) --- ### 2.8 GTSAM (4.2) **Findings**: No CVEs or known security issues for GTSAM 4.2 in public databases. **Recommendation**: No change. Monitor GTSAM security advisories and CVE feeds. --- ### 2.9 numpy **AIKIDO-2025-10325** (heap buffer overflow): - **Affected**: NumPy 2.2.0–2.2.5 - **Issue**: `numpy.strings.find()` incorrect allocation → heap buffer overflow - **Fix**: Upgrade to NumPy ≥2.2.6 **CVE-2025-62608** (MLX, not NumPy): Malicious `.npy` parsing in MLX; fixed in MLX 0.29.4. NumPy itself is not directly affected. **Recommendation**: If using NumPy 2.2.x, upgrade to ≥2.2.6. Otherwise no action. --- ### 2.10 safetensors **Known attack vectors** (research, not formal CVEs): - Polyglot files: Malicious data appended after valid safetensors payload - Header bombs: Large JSON headers causing DoS - Model poisoning: Backdoors in fine-tuned weights - Conversion hijacking: Hugging Face safetensors conversion service compromise (Feb 2024) **Metadata RCE (under review)**: - Report on huntr.com (Feb 2026) and [huggingface_hub #3863](https://github.com/huggingface/huggingface_hub/issues/3863) - Related to metadata parsing in AI/ML libraries (e.g. Hydra `instantiate()`) - Details still limited; embargo possible until resolution **Recommendation**: Continue using safetensors for weights (safer than pickle). Avoid parsing metadata with unsafe deserialization. Monitor safetensors and huggingface_hub advisories. --- ## 3. Supply Chain & Model File Attacks ### PyTorch model weights **Known CVEs**: - CVE-2025-32434: RCE via `weights_only=True` (≤2.5.1) — fixed in 2.6.0 - CVE-2026-24747: Memory corruption in weights_only unpickler (<2.10.0) — fixed in 2.10.0 **No additional supply chain CVEs** found beyond these. Mitigations remain: - PyTorch ≥2.10.0 - `weights_only=True` for all `torch.load()` - SHA256 checksums for all weights - Prefer safetensors where available ### ONNX model files **Path traversal**: - AIKIDO-2026-10185 (ONNX Runtime 1.21–1.24): External data path traversal - CVE-2025-51480 (ONNX): `save_external_data` path traversal **Recommendation**: Use ONNX Runtime ≥1.24.1. Load only ONNX models from trusted sources; validate external data paths. --- ## 4. Action Items for solution_draft05 | Priority | Action | |----------|--------| | **Critical** | Replace **python-jose** with **PyJWT** | | **Critical** | Upgrade **Pillow** to ≥12.1.1 | | **High** | Upgrade **aiohttp** to ≥3.13.3 | | **High** | Pin **h11** ≥0.16.0 (uvicorn transitive) | | **High** | Use **ONNX Runtime** ≥1.24.1 | | **Medium** | If NumPy 2.2.x: upgrade to ≥2.2.6 | | **Monitor** | safetensors metadata RCE; GTSAM advisories | --- ## 5. Source URLs - [NVD CVE-2025-43859](https://nvd.nist.gov/vuln/detail/CVE-2025-43859) — h11/uvicorn - [NVD CVE-2025-51480](https://nvd.nist.gov/vuln/detail/CVE-2025-51480) — ONNX - [NVD CVE-2025-53643](https://nvd.nist.gov/vuln/detail/CVE-2025-53643) — aiohttp request smuggling - [NVD CVE-2025-69223](https://nvd.nist.gov/vuln/detail/CVE-2025-69223) — aiohttp zip bomb - [NVD CVE-2026-24747](https://nvd.nist.gov/vuln/detail/CVE-2026-24747) — PyTorch - [NVD CVE-2026-25990](https://nvd.nist.gov/vuln/detail/CVE-2026-25990) — Pillow PSD - [Intel Aikido AIKIDO-2026-10185](https://intel.aikido.dev/cve/AIKIDO-2026-10185) — ONNX Runtime - [Intel Aikido AIKIDO-2025-10325](https://intel.aikido.dev/cve/AIKIDO-2025-10325) — NumPy - [aiohttp GHSA-6mq8-rvhq-8wgg](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg) - [oss-sec aiohttp 2026/Q1](https://seclists.org/oss-sec/2026/q1/24) - [Uvicorn PR #2621](https://github.com/encode/uvicorn/pull/2621) — h11 bump - [safetensors metadata RCE #3863](https://github.com/huggingface/huggingface_hub/issues/3863) - [python-jose unmaintained (Okta)](https://github.com/okta/okta-jwt-verifier-python/issues/54) - [python-jose security issues #398](https://github.com/mpdavis/python-jose/issues/398)