Update vulnerable dependencies [SECURITY] (patch) #2203
+5
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pulumi-renovate
bot
added
dependencies
![pulumi-renovate-approve[bot]](https://avatars.githubusercontent.com/u/21992475?s=60&v=4){kind=small}
pulumi-renovate
bot
force-pushed
the
renovate/patch-security
branch
from
beeb64d to
5b1763e
Compare
Contributor
Author
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.1.0->==3.1.1==5.1.8->==5.1.14v4.5.1->v4.5.2==1.31.2->==1.31.5==2.32.3->==2.32.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Flask uses fallback key instead of current signing key
CVE-2025-47278 / GHSA-4grg-w6v8-c28g
More information
Details
In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key.
Signing is provided by the
itsdangerouslibrary. A list of keys can be passed, and it expects the last (top) key in the list to be the most recent key, and uses that for signing. Flask was incorrectly constructing that list in reverse, passing the signing key first.Sites that have opted-in to use key rotation by setting
SECRET_KEY_FALLBACKSare likely to unexpectedly be signing their sessions with stale keys, and their transition to fresher keys will be impeded. Sessions are still signed, so this would not cause any sort of data integrity loss.Severity
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
GitHub Vulnerability Alerts
CVE-2025-64458
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence,
django.http.HttpResponseRedirect,django.http.HttpResponsePermanentRedirect, and the shortcutdjango.shortcuts.redirectwere subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
CVE-2025-64459
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods
QuerySet.filter(),QuerySet.exclude(), andQuerySet.get(), and the classQ(), are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the_connectorargument.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
BIT-django-2025-32873 / CVE-2025-32873 / GHSA-8j24-cjrq-gr2m / PYSEC-2025-37
More information
Details
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Django has a denial-of-service possibility in strip_tags()
BIT-django-2025-32873 / CVE-2025-32873 / GHSA-8j24-cjrq-gr2m / PYSEC-2025-37
More information
Details
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Django Improper Output Neutralization for Logs vulnerability
BIT-django-2025-48432 / CVE-2025-48432 / GHSA-7xr5-9hcq-chf9 / PYSEC-2025-47
More information
Details
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
BIT-django-2025-48432 / CVE-2025-48432 / GHSA-7xr5-9hcq-chf9 / PYSEC-2025-47
More information
Details
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Django is subject to SQL injection through its column aliases
BIT-django-2025-57833 / CVE-2025-57833 / GHSA-6w2r-r2m5-xq5w
More information
Details
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to SQL injection in column aliases
BIT-django-2025-59681 / CVE-2025-59681 / GHSA-hpr9-3m2g-3j9p
More information
Details
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to partial directory traversal via archives
BIT-django-2025-59682 / CVE-2025-59682 / GHSA-q95w-c7qg-hrff
More information
Details
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
BIT-django-2025-64459 / CVE-2025-64459 / GHSA-frmv-pr5f-9mcr
More information
Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods
QuerySet.filter(),QuerySet.exclude(), andQuerySet.get(), and the classQ(), are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the_connectorargument.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
BIT-django-2025-64458 / CVE-2025-64458 / GHSA-qw25-v68c-qjf3
More information
Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence,
django.http.HttpResponseRedirect,django.http.HttpResponsePermanentRedirect, and the shortcutdjango.shortcuts.redirectwere subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2025-30204
Summary
Function
parse.ParseUnverifiedcurrently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.As a result, in the face of a malicious request whose Authorization header consists of
Bearerfollowed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)Details
See
parse.ParseUnverifiedImpact
Excessive memory allocation
jwt-go allows excessive memory allocation during header parsing
CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553
More information
Details
Summary
Function
parse.ParseUnverifiedcurrently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.As a result, in the face of a malicious request whose Authorization header consists of
Bearerfollowed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)Details
See
parse.ParseUnverifiedImpact
Excessive memory allocation
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Excessive memory allocation during header parsing in github.com/golang-jwt/jwt
CVE-2025-30204 / GHSA-mh63-6h87-95cp / GO-2025-3553
More information
Details
Excessive memory allocation during header parsing in github.com/golang-jwt/jwt
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
CVE-2025-61385
SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list input to function pg8000.native.literal.
pg8000 SQL injection vulnerability via a specially crafted Python list input
CVE-2025-61385 / GHSA-wq2g-r956-j8cc
More information
Details
SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list input to function pg8000.native.literal.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Requests vulnerable to .netrc credentials leak via malicious URLs
CVE-2024-47081 / GHSA-9hjg-9r4m-mvj7
More information
Details
Impact
Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.
Workarounds
For older versions of Requests, use of the .netrc file can be disabled with
trust_env=Falseon your Requests Session (docs).References
https://github.com/psf/requests/pull/6965
https://seclists.org/fulldisclosure/2025/Jun/2
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
pallets/flask (Flask)
v3.1.1Compare Source
Released 2025-05-13
SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28gcli_runner.invoke. :issue:5645flask --helploads the app and plugins first to make sure all commandsare shown. :issue:
5673AsyncIterable. This is not accurate for Flask, but makes typing easierfor Quart. :pr:
5659django/django (django)
v5.1.14Compare Source
v5.1.13Compare Source
v5.1.12Compare Source
v5.1.11Compare Source
v5.1.10Compare Source
v5.1.9Compare Source
golang-jwt/jwt (github.com/golang-jwt/jwt/v4)
v4.5.2Compare Source
See GHSA-mh63-6h87-95cp
Full Changelog: golang-jwt/jwt@v4.5.1...v4.5.2
psf/requests (requests)
v2.32.4Compare Source
Security
environment will retrieve credentials for the wrong hostname/machine from a
netrc file.
Improvements
Deprecations
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Renovate Bot.