Skip to content

fix(deps): bump cryptography, pyjwt, python-multipart for security advisories#161

Merged
abubnalitic-nbl merged 1 commit into
mainfrom
fix/transitive-cve-bumps
Jun 17, 2026
Merged

fix(deps): bump cryptography, pyjwt, python-multipart for security advisories#161
abubnalitic-nbl merged 1 commit into
mainfrom
fix/transitive-cve-bumps

Conversation

@abubnalitic-nbl

Copy link
Copy Markdown
Contributor

The Build & Scan (Trivy) gate now fails on three HIGH transitive advisories that entered Trivy's vulnerability DB after the last green scan. They affect main directly — not just open PRs — so the scheduled container rescan will begin failing too, and every PR's Build & Scan is blocked until they are bumped. This is the same advisory wave being patched across other repos.

Lockfile-only; no pyproject.toml change, since the upstream constraints already permit the fixed versions:

  • cryptography 46.0.7 → 49.0.0 — GHSA-537c-gmf6-5ccf (vulnerable OpenSSL bundled in wheels)
  • pyjwt 2.12.1 → 2.13.0 — CVE-2026-48526 (authentication bypass via forged JWTs)
  • python-multipart 0.0.27 → 0.0.32 — CVE-2026-53539 (quadratic querystring parsing → CPU DoS)

Verified locally: uv sync clean, ruff clean, 85 tests pass. Once merged, #150 rebases green on top of this.

🤖 Generated with Claude Code

…visories

Resolves three HIGH transitive vulnerabilities flagged by the Build & Scan (Trivy) gate. Lockfile-only — no pyproject change, since upstream constraints already permit the fixed versions:

- cryptography 46.0.7 -> 49.0.0 (GHSA-537c-gmf6-5ccf: vulnerable OpenSSL bundled in wheels)
- pyjwt 2.12.1 -> 2.13.0 (CVE-2026-48526: authentication bypass via forged JWTs)
- python-multipart 0.0.27 -> 0.0.32 (CVE-2026-53539: quadratic querystring parsing CPU DoS)

Verified: uv sync clean, ruff clean, 85 tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
@github-actions

Copy link
Copy Markdown
Contributor

Vulnerability Scan: Failed — blocking vulnerabilities detected

Image: netbox-mcp-server:scan

Source Library CVE Severity Installed Fixed Title
Python starlette CVE-2026-48818 🟠 HIGH 0.52.1 1.1.0 Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Window
Python starlette CVE-2026-54283 🟠 HIGH 0.52.1 1.3.1 Starlette: request.form() limits silently ignored for application/x-www-form-url
Python starlette CVE-2026-48710 🟡 MEDIUM 0.52.1 1.0.1 starlette: Starlette: Security restriction bypass via malformed HTTP Host header
Python starlette CVE-2026-48817 🟡 MEDIUM 0.52.1 1.1.0 Starlette: Arbitrary HTTP method dispatched to HTTPEndpoint attributes via `ge
Python starlette CVE-2026-54282 ⚪ LOW 0.52.1 1.3.0 Starlette: Unvalidated request path concatenated into authority poisons request.

Commit: 0bb57dc

@abubnalitic-nbl abubnalitic-nbl merged commit 238f423 into main Jun 17, 2026
12 of 13 checks passed
@abubnalitic-nbl abubnalitic-nbl deleted the fix/transitive-cve-bumps branch June 17, 2026 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants