Skip to content

deps(security): bump urllib3 floor to >=2.7.0 (GHSA-mf9v-mfxr-j63j + GHSA-qccp-gfcp-xxvc, HIGH)#1975

Merged
qin-ctx merged 1 commit into
volcengine:mainfrom
r266-tech:security/bump-urllib3-floor-270
May 12, 2026
Merged

deps(security): bump urllib3 floor to >=2.7.0 (GHSA-mf9v-mfxr-j63j + GHSA-qccp-gfcp-xxvc, HIGH)#1975
qin-ctx merged 1 commit into
volcengine:mainfrom
r266-tech:security/bump-urllib3-floor-270

Conversation

@r266-tech
Copy link
Copy Markdown
Contributor

@r266-tech r266-tech commented May 12, 2026

Summary

Bump urllib3 floor from >=2.6.3 to >=2.7.0 in pyproject.toml to close two HIGH-severity advisories published 2026-05-11 against urllib3 < 2.7.0.

Vulnerabilities (both HIGH, both first_patched_version 2.7.0)

  • GHSA-mf9v-mfxr-j63j — Decompression-bomb safeguards bypass: HTTPResponse.drain_conn() called after partial decompression (and during a second HTTP CONNECT) can bypass the body-size enforcement and process unlimited decompressed bytes. Vulnerable range >= 2.6.0, < 2.7.0.
  • GHSA-qccp-gfcp-xxvc — Sensitive headers (Authorization, Proxy-Authorization, Cookie) are forwarded across origins on proxied low-level redirects, leaking credentials to attacker-controlled origins. Vulnerable range >= 1.23, < 2.7.0.

Current floor >=2.6.3 permits installing 2.6.3 (vulnerable to both), so any deployment resolving deps fresh can pick up a vulnerable build until the floor is lifted.

Diff

-    "urllib3>=2.6.3",
+    "urllib3>=2.7.0",

Why now

Same one-line floor-bump form as recently merged #1877 (python-multipart GHSA-pp6c-gr5w-3c5g) and #1882 (litellm 5 GHSAs), and currently-open #1963 (langchain-core GHSA-pjwx-r37v-7724). Both urllib3 advisories are ~32h old at the time of this PR — Dependabot weekly cadence will catch it but not for days.

Verification

  • pyproject.toml is the only file changed; only the urllib3 line is modified.
  • No upper bound on urllib3 exists in this dep block, so 2.7.0 is a satisfiable patch-level bump.

@r266-tech
deps(security): bump urllib3 floor to >=2.7.0
6fe1a69 
Close GHSA-mf9v-mfxr-j63j (decompression-bomb safeguards bypass, HIGH)
and GHSA-qccp-gfcp-xxvc (sensitive headers forwarded across origins in
proxied redirects, HIGH). Both advisories published 2026-05-11, both
first_patched_version=2.7.0.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅

1964 (inferred) - PR Code Verified

Compliant requirements:

  • Bump urllib3 floor from >=2.6.3 to >=2.7.0 in pyproject.toml

Requires further human verification:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
🏅 Score: 100
🧪 No relevant tests
🔒 No security concerns identified
✅ No TODO sections
🔀 No multiple PR themes
⚡ No major issues detected

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

PR Code Suggestions ✨

No code suggestions found for the PR.

@r266-tech r266-tech mentioned this pull request May 12, 2026
Open
1 task
@qin-ctx qin-ctx merged commit f9c6299 into volcengine:main May 12, 2026
10 checks passed
@github-project-automation github-project-automation Bot moved this from Backlog to Done in OpenViking project May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qin-ctx qin-ctx qin-ctx approved these changes

Assignees

No one assigned

Labels

Review effort 1/5

Projects

OpenViking project
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@r266-tech @qin-ctx