🚨 Security: 33 critical/high vulnerabilities found in Python dependencies

[github-actions]

Summary

Security audit of Python dependencies found 33 known vulnerabilities in the backend dependencies.

Vulnerabilities Found

Critical Severity

Package	Current Version	CVE ID	Fix Version
urllib3	2.0.7	CVE-2024-37890	1.26.19, 2.2.2

High Severity

Package	Current Version	CVE ID	Fix Version
starlette	0.37.2	CVE-2024-47874	0.40.0
jinja2	3.1.2	CVE-2024-22195	3.1.3
cryptography	41.0.7	Multiple	46.0.5
idna	3.6	PYSEC-2024-60	3.7
requests	2.31.0	CVE-2024-35195	2.32.0
certifi	2023.11.17	PYSEC-2024-230	2024.7.4
twisted	24.3.0	Multiple	24.7.0rc1
configobj	5.0.8	CVE-2023-26112	5.0.9
pip	24.0	CVE-2025-8869	25.3
setuptools	68.1.2	PYSEC-2025-49	78.1.1
wheel	0.42.0	CVE-2026-24049	0.46.2

Additional CVEs (Medium/Low)

• starlette: CVE-2025-54121 (fix: 0.47.2)
• jinja2: CVE-2024-34064, CVE-2024-56326, CVE-2024-56201, CVE-2025-27516
• urllib3: CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2026-21441
• requests: CVE-2024-47081
• cryptography: CVE-2023-50782, CVE-2024-0727, GHSA-h4gh-qq45-vh27, CVE-2026-26007

Recommended Actions

Update Python dependencies in packages/pybackend/pyproject.toml:

cd packages/pybackend
uv sync --upgrade

Or manually update key packages to patched versions:

• fastapi>=0.115.0 (will pull patched starlette)
• jinja2>=3.1.6
• urllib3>=2.6.3
• requests>=2.32.4
• cryptography>=46.0.5
• idna>=3.7
• certifi>=2024.7.4
• pip>=25.3
• setuptools>=78.1.1
• wheel>=0.46.2

Tool Output

pip-audit output showing 33 known vulnerabilities in 12 packages

Notes

• Frontend (npm) dependencies: No vulnerabilities found ✅
• Run pip-audit after updating to verify fixes

[github-actions]

Investigation: 🚨 Security: 33 critical/high vulnerabilities found in Python dependencies

Issue: #278 (#278)
Type: CHORE
Investigated: 2026-03-11T05:53:00Z

Assessment

Metric	Value	Reasoning
Priority	HIGH	Security vulnerabilities with critical/high severity require immediate attention; exposed production systems at risk
Complexity	LOW	Single file update (pyproject.toml), no code changes needed, well-understood dependency management
Confidence	HIGH	Clear vulnerability list provided, recommended fix versions specified, dependency upgrade is straightforward

---

Problem Statement

The backend has 33 known security vulnerabilities in Python dependencies, including 1 critical (CVE-2024-37890 in urllib3) and 11 high-severity CVEs affecting starlette, jinja2, cryptography, requests, and other core packages. These need to be addressed to secure the application.

---

Analysis

Root Cause / Change Rationale

The pinned dependency versions in packages/pyproject.toml are outdated and contain known security vulnerabilities. The lock file (uv.lock) pins these vulnerable versions, so updating the minimum versions in pyproject.toml and regenerating the lock file will resolve the issues.

Evidence Chain

WHY: 33 vulnerabilities reported in pip-audit
↓ BECAUSE: Pinned dependency versions are old and have known CVEs
Evidence: packages/pybackend/pyproject.toml:7-17 - fastapi==0.111.0, uvicorn==0.29.0, etc.

↓ BECAUSE: No upper bounds on versions, and pinned versions haven't been updated
Evidence: packages/pybackend/uv.lock - contains resolved vulnerable versions

↓ ROOT CAUSE: Dependencies need version bumps to patched releases
Evidence: Issue provides specific fix versions for each CVE

Affected Files

File	Lines	Action	Description
packages/pybackend/pyproject.toml	7-17	UPDATE	Bump minimum versions for security
packages/pybackend/uv.lock	NEW (regen)	UPDATE	Regenerate lock file with fixed deps

Integration Points

• uv sync resolves dependencies from pyproject.toml
• Lock file is committed to ensure reproducible builds
• No code changes required - pure dependency update

Git History

• No recent dependency updates found - this is a fresh security audit finding
• Implication: Long-standing issue with accumulated vulnerabilities

---

Implementation Plan

Step 1: Update pyproject.toml with secure minimum versions

File: packages/pybackend/pyproject.toml
Lines: 7-17
Action: UPDATE

Current code:

dependencies = [
  "fastapi==0.111.0",
  "python-frontmatter==1.0.0",
  "uvicorn==0.29.0",
  "ruff>=0.1.0",
  "pytest>=7.0.0",
  "pytest-cov>=4.0.0",
  "httpx>=0.24.0",
  "PyYAML>=6.0.1",
  "apscheduler>=3.11.2",
]

Required change:

dependencies = [
  "fastapi>=0.115.0",
  "python-frontmatter==1.0.0",
  "uvicorn>=0.30.0",
  "ruff>=0.1.0",
  "pytest>=7.0.0",
  "pytest-cov>=4.0.0",
  "httpx>=0.27.0",
  "PyYAML>=6.0.2",
  "apscheduler>=3.11.2",
  "jinja2>=3.1.6",
  "urllib3>=2.6.3",
  "requests>=2.32.4",
  "cryptography>=46.0.5",
  "idna>=3.7",
  "certifi>=2024.7.4",
]

Why: These minimum versions incorporate the security patches for all CVEs mentioned in the issue. Removing pin (==) and using minimum version (>=) allows uv to resolve to latest compatible secure versions.

---

Step 2: Regenerate uv.lock

File: packages/pybackend/uv.lock
Action: UPDATE (regenerate)

cd packages/pybackend && uv lock

Why: Regenerates the lock file with updated dependency versions that satisfy the new minimum version constraints.

---

Step 3: Sync dependencies

Action: UPDATE

cd packages/pybackend && uv sync

Why: Installs the updated dependencies and ensures they're properly resolved.

---

Step 4: Verify vulnerabilities are resolved

Action: VERIFY

cd packages/pybackend && uv pip install pip-audit && uv run pip-audit

Why: Confirms that no known vulnerabilities remain in the resolved dependency tree.

---

Patterns to Follow

From codebase - dependency version patterns:

# packages/pybackend/pyproject.toml:7-17
# Current pattern uses both pinned (==) and minimum (>=) versions
# For security updates, use minimum versions (>=) to get latest patches
dependencies = [
  "fastapi==0.111.0",
  "ruff>=0.1.0",
]

---

Edge Cases & Risks

Risk/Edge Case	Mitigation
API breaking changes in major version bumps	Test thoroughly; fastapi 0.115+ is stable
Lock file conflicts	Regenerate lock file fresh
Python version compatibility	Requires Python 3.10+ per pyproject.toml line 6

---

Validation

Automated Checks

cd packages/pybackend
uv sync
uv run pip-audit
uv run python -c "import fastapi; print(fastapi.__version__)"

Manual Verification

1. Start backend: make run or cd packages/pybackend && uv run uvicorn app:app --host 0.0.0.0 --port 3000
2. Verify app responds at http://localhost:3000
3. Check no import errors in logs

---

Scope Boundaries

IN SCOPE:

• Update packages/pybackend/pyproject.toml minimum versions
• Regenerate packages/pybackend/uv.lock
• Verify vulnerabilities resolved

OUT OF SCOPE (do not touch):

• Frontend npm dependencies (already verified clean per issue)
• Any code changes - pure dependency update only
• Other infrastructure or configuration

---

Metadata

• Investigated by: GHAR
• Timestamp: 2026-03-11T05:53:00Z
• Artifact: .ghar/issues/issue-278.md

[github-actions]

Updated Scan Results (2026-03-12)

Latest pip-audit scan found 31 known vulnerabilities in 11 packages. Some newer CVEs not previously reported:

New/Updated CVEs Found

Package	Version	CVE ID	Fix Version
cryptography	41.0.7	CVE-2026-26007	46.0.5
pip	24.0	CVE-2026-1703	26.0
urllib3	2.0.7	CVE-2026-21441	2.6.3
wheel	0.42.0	CVE-2026-24049	0.46.2
jinja2	3.1.2	CVE-2025-27516	3.1.6

Full Vulnerability List (31 total)

• certifi: PYSEC-2024-230 (fix: 2024.7.4)
• configobj: CVE-2023-26112 (fix: 5.0.9)
• cryptography: Multiple CVEs (fix: 46.0.5)
• idna: PYSEC-2024-60 (fix: 3.7)
• jinja2: Multiple CVEs (fix: 3.1.6)
• pip: CVE-2025-8869, CVE-2026-1703 (fix: 26.0)
• requests: CVE-2024-35195, CVE-2024-47081 (fix: 2.32.4)
• setuptools: PYSEC-2025-49, CVE-2024-6345 (fix: 70.0.0)
• twisted: PYSEC-2024-75, CVE-2024-41671 (fix: 24.7.0rc1)
• urllib3: Multiple CVEs (fix: 2.6.3)
• wheel: CVE-2026-24049 (fix: 0.46.2)

Frontend Status

• npm audit: ✅ No vulnerabilities found

Run in packages/pybackend to apply fixes.

[github-actions]

Follow-up Scan (March 13, 2026)

A fresh security scan of the project's actual dependencies shows reduced vulnerabilities:

Current Project Dependencies Audit

Package	Version	CVE ID	Severity	Fix Version
starlette	0.37.2	CVE-2024-47874	HIGH (8.7 CVSS)	0.40.0
starlette	0.37.2	CVE-2025-54121	MEDIUM (5.3 CVSS)	0.47.2

Status

• Frontend (npm): No vulnerabilities ✅
• Backend (pip-audit): 1 HIGH severity vulnerability remaining

The HIGH severity CVE-2024-47874 is a DoS vulnerability in multipart/form-data handling. Update starlette to >=0.40.0 (or upgrade fastapi to pull in patched dependencies).

Command to update:

cd packages/pybackend
uv sync --upgrade

[github-actions]

Updated Scan Results (March 16, 2026)

Re-scanned Python dependencies with pip-audit. Found 32 known vulnerabilities in 12 packages (slightly updated from 33 previously).

Current Vulnerabilities Still Present:

Package	Version	Vulnerabilities
certifi	2023.11.17	PYSEC-2024-230
configobj	5.0.8	CVE-2023-26112
cryptography	41.0.7	PYSEC-2024-225, CVE-2023-50782, CVE-2024-0727, GHSA-h4gh-qq45-vh27, CVE-2026-26007
idna	3.6	PYSEC-2024-60
jinja2	3.1.2	CVE-2024-22195, CVE-2024-34064, CVE-2024-56326, CVE-2024-56201, CVE-2025-27516
pip	24.0	CVE-2025-8869, CVE-2026-1703
pyjwt	2.7.0	CVE-2026-32597
requests	2.31.0	CVE-2024-35195, CVE-2024-47081
setuptools	68.1.2	PYSEC-2025-49, CVE-2024-6345
twisted	24.3.0	PYSEC-2024-75, CVE-2024-41671
urllib3	2.0.7	CVE-2024-37890, CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2026-21441
wheel	0.42.0	CVE-2026-24049

New vulnerabilities detected since last scan:

• pyjwt: CVE-2026-32597 (new)
• pip: CVE-2026-1703 (new)
• wheel: CVE-2026-24049

Recommended Actions

cd packages/pybackend
uv sync --upgrade

Status: Still open - awaiting fix

[github-actions]

Updated Scan Results - 2026-03-17

The vulnerability count has increased. Current scan shows 34 known vulnerabilities (up from 33):

Package	Vulnerabilities	Fix Versions
certifi	1 (PYSEC-2024-230)	2024.7.4
configobj	1 (CVE-2023-26112)	5.0.9
cryptography	5 (PYSEC-2024-225, CVE-2023-50782, CVE-2024-0727, GHSA-h4gh-qq45-vh27, CVE-2026-26007)	46.0.5
idna	1 (PYSEC-2024-60)	3.7
jinja2	5 (CVE-2024-22195, CVE-2024-34064, CVE-2024-56326, CVE-2024-56201, CVE-2025-27516)	3.1.6
pip	2 (CVE-2025-8869, CVE-2026-1703)	26.0
pyjwt	1 (CVE-2026-32597)	2.12.0
pyopenssl	2 (CVE-2026-27448, CVE-2026-27459)	26.0.0
requests	2 (CVE-2024-35195, CVE-2024-47081)	2.32.4
setuptools	2 (PYSEC-2025-49, CVE-2024-6345)	78.1.1
twisted	2 (PYSEC-2024-75, CVE-2024-41671)	24.7.0rc1
urllib3	4 (CVE-2024-37891, CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2026-21441)	2.6.3
wheel	1 (CVE-2026-24049)	0.46.2

Recommended: Run to update dependencies.

[meruedoro]

I'd like to submit a fix for the Python dependency pins (fastapi and uvicorn hard-pinned to vulnerable versions). Will open a PR shortly.

[github-actions]

Updated Scan - 2026-03-18

Additional vulnerabilities detected in latest scan:

New vulnerabilities found:

• pyjwt: CVE-2026-32597 (fix: 2.12.0)
• pyopenssl: CVE-2026-27448, CVE-2026-27459 (fix: 26.0.0)
• pyasn1: CVE-2026-30922 (fix: 0.6.3)

Total vulnerabilities now: 35 (up from 33)

Run Name Version ID Fix Versions

---

certifi 2023.11.17 PYSEC-2024-230 2024.7.4
certifi 2023.11.17 PYSEC-2024-230 2024.7.4
configobj 5.0.8 CVE-2023-26112 5.0.9
cryptography 41.0.7 PYSEC-2024-225 42.0.4
cryptography 41.0.7 PYSEC-2024-225 42.0.4
cryptography 41.0.7 CVE-2023-50782 42.0.0
cryptography 41.0.7 CVE-2024-0727 42.0.2
cryptography 41.0.7 GHSA-h4gh-qq45-vh27 43.0.1
cryptography 41.0.7 CVE-2026-26007 46.0.5
idna 3.6 PYSEC-2024-60 3.7
idna 3.6 PYSEC-2024-60 3.7
jinja2 3.1.2 CVE-2024-22195 3.1.3
jinja2 3.1.2 CVE-2024-34064 3.1.4
jinja2 3.1.2 CVE-2024-56326 3.1.5
jinja2 3.1.2 CVE-2024-56201 3.1.5
jinja2 3.1.2 CVE-2025-27516 3.1.6
pip 24.0 CVE-2025-8869 25.3
pip 24.0 CVE-2026-1703 26.0
pyasn1 0.4.8 CVE-2026-30922 0.6.3
pyjwt 2.7.0 CVE-2026-32597 2.12.0
pyopenssl 23.2.0 CVE-2026-27448 26.0.0
pyopenssl 23.2.0 CVE-2026-27459 26.0.0
requests 2.31.0 CVE-2024-35195 2.32.0
requests 2.31.0 CVE-2024-47081 2.32.4
setuptools 68.1.2 PYSEC-2025-49 78.1.1
setuptools 68.1.2 PYSEC-2025-49 78.1.1
setuptools 68.1.2 CVE-2024-6345 70.0.0
twisted 24.3.0 PYSEC-2024-75 24.7.0rc1
twisted 24.3.0 CVE-2024-41671 24.7.0rc1
urllib3 2.0.7 CVE-2024-37891 1.26.19,2.2.2
urllib3 2.0.7 CVE-2025-50181 2.5.0
urllib3 2.0.7 CVE-2025-66418 2.6.0
urllib3 2.0.7 CVE-2025-66471 2.6.0
urllib3 2.0.7 CVE-2026-21441 2.6.3
wheel 0.42.0 CVE-2026-24049 0.46.2
Name Skip Reason

---

bcc Dependency not found on PyPI and could not be audited: bcc (0.29.1)
cloud-init Dependency not found on PyPI and could not be audited: cloud-init (25.2)
command-not-found Dependency not found on PyPI and could not be audited: command-not-found (0.3)
distro-info Dependency not found on PyPI and could not be audited: distro-info (1.7+build1)
python-apt Dependency not found on PyPI and could not be audited: python-apt (2.7.7+ubuntu5.1)
python-debian Dependency not found on PyPI and could not be audited: python-debian (0.1.49+ubuntu2)
sos Dependency not found on PyPI and could not be audited: sos (4.9.2)
ubuntu-pro-client Dependency not found on PyPI and could not be audited: ubuntu-pro-client (8001)
ufw Dependency not found on PyPI and could not be audited: ufw (0.36.2)
walinuxagent Dependency not found on PyPI and could not be audited: walinuxagent (2.11.1.4) in the backend to get the full current list.