Skip to content

[release-0.9] Bump dependencies to remediate CVEs (aiohttp, starlette, pyjwt, urllib3, python-dotenv, python-multipart)#933

Open
fabianvf wants to merge 1 commit into
konveyor:release-0.9from
fabianvf:cve-remediation-deps-0.9
Open

[release-0.9] Bump dependencies to remediate CVEs (aiohttp, starlette, pyjwt, urllib3, python-dotenv, python-multipart)#933
fabianvf wants to merge 1 commit into
konveyor:release-0.9from
fabianvf:cve-remediation-deps-0.9

Conversation

@fabianvf

@fabianvf fabianvf commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Remediates the CVEs from JIRA_TICKETS.md that actually affect kai_mcp_solution_server's dependency tree by raising security floors to the fixed releases. Most tickets in the list (all Jupyter/JupyterLab/nbconvert, vLLM, mistune, joserfc, and OpenTelemetry Java) do not apply — those packages are absent from every lockfile (we use OpenTelemetry for Go and Python only).

Package Before → After CVE
aiohttp 3.13.3 → ≥3.14.0 RCE via CookieJar.load() on untrusted input
starlette 0.51.0 → ≥1.3.1 malformed Host-header restriction bypass; request.form() urlencoded limits ignored (DoS)
python-multipart 0.0.21 → ≥0.0.27 DoS via excessive multipart part headers
python-dotenv 1.2.1 → ≥1.2.2 arbitrary file overwrite via symlink following
pyjwt 2.10.1 → ≥2.13.0 auth bypass via forged JWT (HMAC/JWK confusion)
urllib3 2.6.3 → ≥2.7.0 decompression DoS; sensitive-header leak on cross-origin redirect

Floors are pinned in pyproject.toml following the repo's existing convention (zipp/pyasn1/urllib3 are already listed as transitive security floors). uv.lock and requirements.txt are regenerated; requirements.txt was materialized on Linux to match the verify-requirements-txt CI check.

Testing

  • run_mypy.sh (CI type check) passes.
  • Integration suite run in a CI-equivalent Linux env: test_mcp_client_endpoints and test_tool_metadata pass on the new deps — confirming the starlette 0→1 major bump serves correctly over the real stdio/ASGI path.
  • test_solution_server_1 fails with a pre-existing, timing-related IndexError (empty hint content) that reproduces identically on the untouched baseline, i.e. it is not caused by these bumps.

🤖 Generated with Claude Code

…b3, python-dotenv, python-multipart)

Raise security floors in kai_mcp_solution_server for the CVEs from
JIRA_TICKETS.md that actually affect our dependency tree:

- aiohttp        3.13.3 -> >=3.14.0  (RCE via CookieJar.load on untrusted input)
- starlette      0.51.0 -> >=1.3.1   (malformed Host header bypass; urlencoded form limits ignored)
- python-multipart 0.0.21 -> >=0.0.27 (DoS via excessive multipart headers)
- python-dotenv  1.2.1  -> >=1.2.2   (arbitrary file overwrite via symlink)
- pyjwt          2.10.1 -> >=2.13.0  (auth bypass via forged JWT HMAC/JWK confusion)
- urllib3        2.6.3  -> >=2.7.0   (decompression DoS; header leak on cross-origin redirect)

Non-applicable ticket entries (Jupyter*, vLLM, mistune, joserfc,
OpenTelemetry Java) are not present in any dependency tree; no action.

uv.lock and requirements.txt regenerated (requirements.txt materialized
on Linux to match CI's verify-requirements-txt check).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 86a0cfb5-48b1-4441-9cb7-1676b84832ff

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant