Skip to content

[xh] Fix vulnerabilities #5863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[xh] Fix vulnerabilities #5863

wants to merge 1 commit into from

Conversation

matrixstone
Copy link
Collaborator

@matrixstone matrixstone commented Aug 23, 2025
edited
Loading

Description

Here is the list of vulnerabilities fixed in thie PR:

  1. CVE-2025-43859 — h11 0.14.0
    Root cause: h11 is a transitive dependency of httpx
    Fix: Updated httpx from ==0.25.0 to >=0.27.0 in both requirements.txt and mage_integrations/requirements.txt
    Why: httpx 0.27.0+ includes h11 0.15.0+ which fixes the vulnerability

  2. CVE-2024-5998 — langchain 0.1.6
    Fix: Updated langchain from ==0.1.6 to >=0.2.5 in both requirements.txt and setup.py
    Why: langchain 0.2.5+ fixes the pickle deserialization vulnerability

  3. CVE-2024-5998 — langchain-community 0.0.19
    Fix: Updated langchain-community from <0.0.20 to >=0.2.5 in both requirements.txt and setup.py
    Why: langchain-community 0.2.5+ fixes the same pickle deserialization vulnerability

  4. CVE-2024-8309 — langchain 0.1.6
    Fix: Same as above - updated langchain to >=0.2.5
    Why: langchain 0.3.0+ fixes the SQL injection vulnerability

  5. CVE-2025-2828 — langchain-community 0.0.19
    Fix: Same as above - updated langchain-community to >=0.2.5
    Why: langchain-community 0.2.5+ fixes the denial of service vulnerability

  6. CVE-2024-45187 — mage-ai 0.9.76
    Fix: Updated mage-ai version from 0.9.76 to 0.9.77 in both mage_ai/server/constants.py and setup.py
    Why: This addresses the mage-ai specific vulnerability

  7. System-level vulnerabilities (Debian 12 Bookworm)
    CVE-2023-5841 — libopenexr: Fixed in Debian 12 (Bookworm) - no action needed
    CVE-2024-45187 — libxml2: Fixed in Debian 12 (Bookworm) - no action needed

How Has This Been Tested?

Build image success
wechat_2025-08-22_204130_727

Tested in Mage UI with pipeline run S3 read, transform and write to S3

image

Checklist

  • The PR is tagged with proper labels (bug, enhancement, feature, documentation)
  • I have performed a self-review of my own code
  • I have added unit tests that prove my fix is effective or that my feature works
  • [X call me Rit] I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation

cc:
@wangxiaoyou1993

@matrixstone matrixstone added the security security related issues label Aug 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wangxiaoyou1993 wangxiaoyou1993 Awaiting requested review from wangxiaoyou1993

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
security security related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@matrixstone