chore(deps): [ai] Update vulnerabilityAlerts to v24 [SECURITY]#580
Open
renovate-bot wants to merge 1 commit into
Open
chore(deps): [ai] Update vulnerabilityAlerts to v24 [SECURITY]#580renovate-bot wants to merge 1 commit into
renovate-bot wants to merge 1 commit into
Conversation
forking-renovate
Bot
added
the
dependencies
renovate-bot
force-pushed
the
renovate/ai-major-vulnerabilityalerts
branch
3 times, most recently
from
8037b77 to
56f4e28
Compare
renovate-bot
force-pushed
the
renovate/ai-major-vulnerabilityalerts
branch
from
56f4e28 to
2c882d6
Compare
renovate-bot
changed the title
renovate-bot
force-pushed
the
renovate/ai-major-vulnerabilityalerts
branch
6 times, most recently
from
769cfe6 to
3ff1d75
Compare
renovate-bot
force-pushed
the
renovate/ai-major-vulnerabilityalerts
branch
from
3ff1d75 to
213a9e5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
23.0.1→24.0.00.52.1→1.0.1Apache Arrow: Potential use-after-free when reading IPC file with pre-buffering
CVE-2026-25087 / GHSA-rgxp-2hwp-jwgg / PYSEC-2026-113
More information
Details
Use After Free vulnerability in Apache Arrow C++.
This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data). Depending on the number of variadic buffers in a record batch column and on the temporal sequence of multi-threaded IO, a write to a dangling pointer could occur. The value (a
std::shared_ptr<Buffer>object) that is written to the dangling pointer is not under direct control of the attacker.Pre-buffering is disabled by default but can be enabled using a specific C++ API call (
RecordBatchFileReader::PreBufferMetadata). The functionality is not exposed in language bindings (Python, Ruby, C GLib), so these bindings are not vulnerable.The most likely consequence of this issue would be random crashes or memory corruption when reading specific kinds of IPC files. If the application allows ingesting IPC files from untrusted sources, this could plausibly be exploited for denial of service. Inducing more targeted kinds of misbehavior (such as confidential data extraction from the running process) depends on memory allocation and multi-threaded IO temporal patterns that are unlikely to be easily controlled by an attacker.
Advice for users of Arrow C++:
check whether you enable pre-buffering on the IPC file reader (using
RecordBatchFileReader::PreBufferMetadata)if so, either disable pre-buffering (which may have adverse performance consequences), or switch to Arrow 23.0.1 which is not vulnerable
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2026-25087 / GHSA-rgxp-2hwp-jwgg / PYSEC-2026-113
More information
Details
Use After Free vulnerability in Apache Arrow C++.
This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file (but not an IPC stream) with pre-buffering enabled, if the IPC file contains data with variadic buffers (such as Binary View and String View data). Depending on the number of variadic buffers in a record batch column and on the temporal sequence of multi-threaded IO, a write to a dangling pointer could occur. The value (a
std::shared_ptr<Buffer>object) that is written to the dangling pointer is not under direct control of the attacker.Pre-buffering is disabled by default but can be enabled using a specific C++ API call (
RecordBatchFileReader::PreBufferMetadata). The functionality is not exposed in language bindings (Python, Ruby, C GLib), so these bindings are not vulnerable.The most likely consequence of this issue would be random crashes or memory corruption when reading specific kinds of IPC files. If the application allows ingesting IPC files from untrusted sources, this could plausibly be exploited for denial of service. Inducing more targeted kinds of misbehavior (such as confidential data extraction from the running process) depends on memory allocation and multi-threaded IO temporal patterns that are unlikely to be easily controlled by an attacker.
Advice for users of Arrow C++:
check whether you enable pre-buffering on the IPC file reader (using
RecordBatchFileReader::PreBufferMetadata)if so, either disable pre-buffering (which may have adverse performance consequences), or switch to Arrow 23.0.1 which is not vulnerable
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
CVE-2026-48710 / GHSA-86qp-5c8j-p5mr
More information
Details
Summary
In affected versions, the HTTP
Hostrequest header was not validated before being used to reconstructrequest.url. Because the routing algorithm relies on the raw HTTP path whilerequest.urlis rebuilt from theHostheader, a malformed header could makerequest.url.pathdiffer from the path that was actually requested. Middleware and endpoints that apply security restrictions based onrequest.url(rather than the rawscopepath) could therefore be bypassed.Details
When a client requests
http://example.com/foo, it sends:Affected versions reconstructed the URL by concatenating
http://{host}{path}and re-parsing the result. TheHostvalue is only valid as auri-host [ ":" port ]per RFC 9112 §3.2, whereuri-hostfollows the restrictedhostgrammar of RFC 3986 §3.2.2. When it contains characters outside that grammar - notably/,?, or#- those characters move the path/query/fragment boundaries during re-parsing, so the parsedrequest.url.pathno longer matches the path the server actually received. For example:reconstructs to
http://example.com/abc?bar=/foo, whose parsedpathis/abc- even though routing used the real path/foo. The router still dispatches to/fooand the endpoint executes, but any middleware or code that readsrequest.url.pathsees/abc, so path-based authorization checks can be bypassed.Impact
Any application running an affected version that relies on
request.url(orrequest.url.path) for security-sensitive decisions is affected. The most common case is middleware that gates access to certain path prefixes based onrequest.url.path. Deployments fronted by a proxy or load balancer are mitigated only if that proxy rejects or normalizes the malformedHostheader before forwarding and the application does not trust attacker-controlled host headers (e.g.X-Forwarded-Host) elsewhere.Mitigation
Upgrade to a patched version, which validates the
Hostheader against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructingrequest.urland falls back toscope["server"]for malformed values.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
CVE-2026-48710 / GHSA-86qp-5c8j-p5mr / PYSEC-2026-161 / X41-2026-002
More information
Details
Summary
In affected versions, the HTTP
Hostrequest header was not validated before being used to reconstructrequest.url. Because the routing algorithm relies on the raw HTTP path whilerequest.urlis rebuilt from theHostheader, a malformed header could makerequest.url.pathdiffer from the path that was actually requested. Middleware and endpoints that apply security restrictions based onrequest.url(rather than the rawscopepath) could therefore be bypassed.Details
When a client requests
http://example.com/foo, it sends:Affected versions reconstructed the URL by concatenating
http://{host}{path}and re-parsing the result. TheHostvalue is only valid as auri-host [ ":" port ]per RFC 9112 §3.2, whereuri-hostfollows the restrictedhostgrammar of RFC 3986 §3.2.2. When it contains characters outside that grammar - notably/,?, or#- those characters move the path/query/fragment boundaries during re-parsing, so the parsedrequest.url.pathno longer matches the path the server actually received. For example:reconstructs to
http://example.com/abc?bar=/foo, whose parsedpathis/abc- even though routing used the real path/foo. The router still dispatches to/fooand the endpoint executes, but any middleware or code that readsrequest.url.pathsees/abc, so path-based authorization checks can be bypassed.Impact
Any application running an affected version that relies on
request.url(orrequest.url.path) for security-sensitive decisions is affected. The most common case is middleware that gates access to certain path prefixes based onrequest.url.path. Deployments fronted by a proxy or load balancer are mitigated only if that proxy rejects or normalizes the malformedHostheader before forwarding and the application does not trust attacker-controlled host headers (e.g.X-Forwarded-Host) elsewhere.Mitigation
Upgrade to a patched version, which validates the
Hostheader against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructingrequest.urland falls back toscope["server"]for malformed values.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
CVE-2026-48710 / GHSA-86qp-5c8j-p5mr / PYSEC-2026-161 / X41-2026-002
More information
Details
Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path.
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Release Notes
Kludex/starlette (starlette)
v1.0.1: Version 1.0.1Compare Source
What's Changed
Hostheader when constructingrequest.urlby @Kludex in #3279Full Changelog: Kludex/starlette@1.0.0...1.0.1
v1.0.0: Version 1.0.0Compare Source
Starlette 1.0 is here! 🎉
After nearly eight years since its creation, Starlette has reached its first stable release.
A special thank you to @lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏
Thank you to @adriangb, @graingert, @agronholm, @florimondmanca, @aminalaee, @tiangolo, @alex-oleshkevich, @abersheeran, and @uSpike for helping make Starlette what it is today. And to all my sponsors - especially @tiangolo, @huggingface, and @elevenlabs - thank you for your support!
Thank you to all 290+ contributors who have shaped Starlette over the years! ❤️
Read more on the blog post.
Check out the full release notes at https://www.starlette.io/release-notes/#100-march-22-2026
Full Changelog: Kludex/starlette@1.0.0rc1...1.0.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.