Oleksandr Bezdieniezhnykh
11 KiB
Security CVE Research: Python Dependencies (Late 2025 – March 2026)
Research date: March 14, 2026. Covers CVEs and security issues for packages used in the GPS-denied solution (solution_draft05).
1. Summary Table
| Package | Current Version | CVE ID | Severity | Mitigation | Source |
|---|---|---|---|---|---|
| FastAPI | ≥0.135.0 | None (core) | — | No action for core FastAPI | — |
| FastAPI Api Key | — | CVE-2026-23996 | Medium | Update to ≥1.1.0 or avoid | GitLab Advisory |
| uvicorn | — | CVE-2025-43859 (h11) | Critical 9.1 | Pin h11 ≥0.16.0 | NVD |
| ONNX Runtime | — | AIKIDO-2026-10185 | Medium | Upgrade to ≥1.24.1 | Intel Aikido |
| ONNX | — | CVE-2025-51480 | High 8.8 | Patch in ONNX 1.17+ | NVD |
| aiohttp | — | CVE-2025-69223, 69227, 69228, 69229, 69230, 69226, CVE-2025-53643 | High/Medium | Update to ≥3.13.3 | oss-sec |
| python-jose | 3.5.0 | CVE-2024-29370, 33663, 33664; unfixed 2026 issues | Medium | Replace with PyJWT | OpenCVE |
| PyTorch | ≥2.10.0 | CVE-2026-24747 (fixed in 2.10.0) | High 8.8 | Already mitigated | NVD |
| Pillow | ≥11.3.0 | CVE-2026-25990 | High 7.5 | Upgrade to ≥12.1.1 | NVD |
| GTSAM | 4.2 | None found | — | Monitor | — |
| numpy | — | AIKIDO-2025-10325 (2.2.x) | Low | Upgrade to ≥2.2.6 if on 2.2.x | Intel Aikido |
| safetensors | — | Metadata RCE (under review) | TBD | Monitor; avoid unsafe metadata parsing | huggingface_hub #3863 |
2. Detailed Findings by Package
2.1 FastAPI (≥0.135.0)
Core FastAPI: No CVEs affecting the main FastAPI package in 2025–2026.
Related packages (if used):
- CVE-2026-23996 (FastAPI Api Key): Timing side-channel in
verify_key(); update to ≥1.1.0. - CVE-2026-2978 (FastApiAdmin): Unrestricted file upload; update to ≥2.2.1.
- CVE-2025-68481 (fastapi-users): OAuth CSRF; update to ≥15.0.2.
Recommendation: No change for core FastAPI. If using FastAPI Api Key, FastApiAdmin, or fastapi-users, upgrade those packages.
2.2 uvicorn
CVE-2025-43859 (transitive via h11):
- Severity: Critical (CVSS 9.1)
- Cause: h11 <0.16.0 lenient parsing of chunked-encoding line terminators → HTTP request smuggling
- Impact: Security bypass, cache poisoning, session hijacking, data leakage
- Fix: Pin
h11>=0.16.0. Uvicorn PR #2621 bumps h11 (merged May 2025).
Recommendation: Pin h11>=0.16.0 in requirements. Use a uvicorn release that depends on h11 ≥0.16.0.
Sources: NVD CVE-2025-43859, Uvicorn PR #2621
2.3 ONNX Runtime
AIKIDO-2026-10185 (path traversal in model loading):
- Affected: ONNX Runtime 1.21.0–1.24.0
- Issue: External data references in TensorProto can use absolute paths or
../traversal - Impact: Load unintended files, data disclosure, unexpected behavior
- Fix: Upgrade to ONNX Runtime ≥1.24.1
CVE-2025-51480 (ONNX library save_external_data):
- Affected: ONNX 1.17.0
- Issue: Path traversal in
save_external_data→ arbitrary file overwrite - Fix: ONNX patches in PR #7040; use patched ONNX.
Recommendation: Use ONNX Runtime ≥1.24.1. Ensure ONNX dependency is patched for CVE-2025-51480.
Sources: Intel Aikido AIKIDO-2026-10185, NVD CVE-2025-51480
2.4 aiohttp
Multiple CVEs fixed in 3.13.3 (released Jan 5, 2026):
| CVE | Severity | Issue |
|---|---|---|
| CVE-2025-69223 | High | Zip bomb DoS via compressed request |
| CVE-2025-69228 | High | Large payload DoS (e.g. Request.post()) |
| CVE-2025-69227 | High | DoS via bypassed asserts when PYTHONOPTIMIZE=1 |
| CVE-2025-69229 | Medium | Chunked message DoS (CPU exhaustion) |
| CVE-2025-69230 | Low | Cookie parser warning storm |
| CVE-2025-69226 | Low | Static file path brute-force |
| CVE-2025-53643 | — | HTTP request smuggling (fixed in 3.12.14) |
Recommendation: Upgrade to aiohttp ≥3.13.3.
Sources: oss-sec 2026/Q1, aiohttp GHSA-6mq8-rvhq-8wgg
2.5 python-jose (JWT)
Maintenance: Effectively unmaintained; minimal activity for ~2 years. Current version 3.5.0.
Known CVEs:
- CVE-2024-29370: DoS via malicious JWE (5.3 Medium)
- CVE-2024-33663: Algorithm confusion with OpenSSH ECDSA keys (6.5 Medium)
- CVE-2024-33664: JWT bomb via compressed JWE (5.3 Medium)
- CVE-2025-61152:
alg=none(disputed by maintainers)
Unfixed 2026 issues (per GitHub #398):
- DER key algorithm confusion
- Missing algorithm whitelisting
- Timing side-channels
Recommendation: Replace with PyJWT. Okta and others have migrated away from python-jose. PyJWT is actively maintained and has stronger security defaults.
Sources: OpenCVE python-jose, Okta migration issue, python-jose #398
2.6 PyTorch (≥2.10.0)
CVE-2026-24747 (fixed in 2.10.0):
- Severity: High (CVSS 8.8)
- Issue:
weights_onlyunpickler memory corruption via crafted.pthcheckpoints - Impact: RCE when loading malicious checkpoint with
torch.load(..., weights_only=True) - Fix: PyTorch ≥2.10.0
CVE-2025-32434 (fixed in 2.6.0):
- Severity: Critical (CVSS 9.8)
- Issue: RCE via
torch.load(..., weights_only=True)despite documentation - Fix: PyTorch ≥2.6.0
Recommendation: Keep PyTorch ≥2.10.0. No new CVEs found after 2.10.0. Continue using weights_only=True and SHA256 checksums for weights.
2.7 Pillow (≥11.3.0)
CVE-2026-25990 (PSD out-of-bounds write):
- Affected: 10.3.0 through before 12.1.1
- Severity: High (CVSS 7.5)
- Issue: Out-of-bounds write when loading crafted PSD images
- Impact: Memory corruption, possible RCE, crashes
- Fix: Upgrade to Pillow ≥12.1.1
CVE-2025-48379 (DDS buffer overflow, fixed in 11.3.0):
- Already mitigated by Pillow ≥11.3.0.
Recommendation: Upgrade to Pillow ≥12.1.1 to address CVE-2026-25990.
Sources: NVD CVE-2026-25990, GitLab Advisory
2.8 GTSAM (4.2)
Findings: No CVEs or known security issues for GTSAM 4.2 in public databases.
Recommendation: No change. Monitor GTSAM security advisories and CVE feeds.
2.9 numpy
AIKIDO-2025-10325 (heap buffer overflow):
- Affected: NumPy 2.2.0–2.2.5
- Issue:
numpy.strings.find()incorrect allocation → heap buffer overflow - Fix: Upgrade to NumPy ≥2.2.6
CVE-2025-62608 (MLX, not NumPy): Malicious .npy parsing in MLX; fixed in MLX 0.29.4. NumPy itself is not directly affected.
Recommendation: If using NumPy 2.2.x, upgrade to ≥2.2.6. Otherwise no action.
2.10 safetensors
Known attack vectors (research, not formal CVEs):
- Polyglot files: Malicious data appended after valid safetensors payload
- Header bombs: Large JSON headers causing DoS
- Model poisoning: Backdoors in fine-tuned weights
- Conversion hijacking: Hugging Face safetensors conversion service compromise (Feb 2024)
Metadata RCE (under review):
- Report on huntr.com (Feb 2026) and huggingface_hub #3863
- Related to metadata parsing in AI/ML libraries (e.g. Hydra
instantiate()) - Details still limited; embargo possible until resolution
Recommendation: Continue using safetensors for weights (safer than pickle). Avoid parsing metadata with unsafe deserialization. Monitor safetensors and huggingface_hub advisories.
3. Supply Chain & Model File Attacks
PyTorch model weights
Known CVEs:
- CVE-2025-32434: RCE via
weights_only=True(≤2.5.1) — fixed in 2.6.0 - CVE-2026-24747: Memory corruption in weights_only unpickler (<2.10.0) — fixed in 2.10.0
No additional supply chain CVEs found beyond these. Mitigations remain:
- PyTorch ≥2.10.0
weights_only=Truefor alltorch.load()- SHA256 checksums for all weights
- Prefer safetensors where available
ONNX model files
Path traversal:
- AIKIDO-2026-10185 (ONNX Runtime 1.21–1.24): External data path traversal
- CVE-2025-51480 (ONNX):
save_external_datapath traversal
Recommendation: Use ONNX Runtime ≥1.24.1. Load only ONNX models from trusted sources; validate external data paths.
4. Action Items for solution_draft05
| Priority | Action |
|---|---|
| Critical | Replace python-jose with PyJWT |
| Critical | Upgrade Pillow to ≥12.1.1 |
| High | Upgrade aiohttp to ≥3.13.3 |
| High | Pin h11 ≥0.16.0 (uvicorn transitive) |
| High | Use ONNX Runtime ≥1.24.1 |
| Medium | If NumPy 2.2.x: upgrade to ≥2.2.6 |
| Monitor | safetensors metadata RCE; GTSAM advisories |
5. Source URLs
- NVD CVE-2025-43859 — h11/uvicorn
- NVD CVE-2025-51480 — ONNX
- NVD CVE-2025-53643 — aiohttp request smuggling
- NVD CVE-2025-69223 — aiohttp zip bomb
- NVD CVE-2026-24747 — PyTorch
- NVD CVE-2026-25990 — Pillow PSD
- Intel Aikido AIKIDO-2026-10185 — ONNX Runtime
- Intel Aikido AIKIDO-2025-10325 — NumPy
- aiohttp GHSA-6mq8-rvhq-8wgg
- oss-sec aiohttp 2026/Q1
- Uvicorn PR #2621 — h11 bump
- safetensors metadata RCE #3863
- python-jose unmaintained (Okta)
- python-jose security issues #398