Skip to content

fix: patch 10 security alerts (high + medium + low)#249

Merged
John Kennedy (jkennedyvz) merged 1 commit intomainfrom
fix/security-alerts-2026-02-24-round2
Feb 25, 2026
Merged

fix: patch 10 security alerts (high + medium + low)#249
John Kennedy (jkennedyvz) merged 1 commit intomainfrom
fix/security-alerts-2026-02-24-round2

Conversation

@jkennedyvz
Copy link
Contributor

@jkennedyvz John Kennedy (jkennedyvz) commented Feb 25, 2026

Security Alert Patch (Round 2)

Resolves 10 Dependabot security alerts across high, medium, and low severity tiers. Follows up on #248 which patched the critical + initial high alerts.

Packages Updated

Package Lib Old New Strategy CVEs Resolved
urllib3 trt 2.2.3 (py<3.11) / 2.6.3 (py>=3.11) 2.6.3 (single) Bump min Python to >=3.9 CVE-2026-21441, CVE-2025-66471, CVE-2025-66418, CVE-2025-50182, CVE-2025-50181
requests trt 2.31.0 2.32.5 Poetry update CVE-2024-47081, CVE-2024-35195
certifi trt 2024.2.2 2026.1.4 Poetry update CVE-2024-39689
idna trt 3.6 3.11 Poetry update CVE-2024-3651
langsmith ai-endpoints 0.4.45 0.7.6 Poetry update CVE-2026-25528

Key Changes

Python version bump (libs/trt): >=3.8.1>=3.9. Python 3.8 reached EOL in October 2024. This was the root cause of the urllib3 split resolution — urllib3 2.6.3 requires Python >=3.9, so Poetry was resolving a vulnerable 2.2.3 for Python <3.11.

CI matrix update: .github/scripts/check_diff.py updated to remove Python 3.8 from trt's test and lint matrices.

CVE Details

  • CVE-2026-21441 — urllib3: decompression-bomb safeguards bypassed on redirects (HIGH)
  • CVE-2025-66471 — urllib3: streaming API improperly handles highly compressed data (HIGH)
  • CVE-2025-66418 — urllib3: unbounded decompression chain (HIGH)
  • CVE-2026-25528 — langsmith: SSRF via tracing header (MEDIUM)
  • CVE-2025-50182 — urllib3: uncontrolled redirects in browsers (MEDIUM)
  • CVE-2025-50181 — urllib3: redirects not disabled when retries disabled (MEDIUM)
  • CVE-2024-47081 — requests: .netrc credentials leak via malicious URLs (MEDIUM)
  • CVE-2024-35195 — requests: Session doesn't verify after first request (MEDIUM)
  • CVE-2024-3651 — idna: denial of service (MEDIUM)
  • CVE-2024-39689 — certifi: GLOBALTRUST root certificate removal (LOW)

Not Fixed

Verification

  • All lockfiles regenerated
  • poetry check passes for both libs
  • CI matrix updated for new Python minimum

🤖 Submitted by langster-patch

@jkennedyvz
fix: patch 10 security alerts (high + medium + low severity)
b717238 
Bump libs/trt minimum Python from >=3.8.1 to >=3.9 (3.8 is EOL) so
urllib3 resolves to a single 2.6.3 instead of splitting with vulnerable
2.2.3. Update requests, certifi, idna in trt. Update langsmith in
ai-endpoints. Update CI matrix to match new Python minimum.

Resolves: CVE-2026-21441, CVE-2025-66471, CVE-2025-66418,
CVE-2026-25528, CVE-2025-50182, CVE-2025-50181, CVE-2024-47081,
CVE-2024-35195, CVE-2024-3651, CVE-2024-39689
@jkennedyvz John Kennedy (jkennedyvz) merged commit 8104ca3 into main Feb 25, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jkennedyvz