Skip to content

security: pin urllib3 and filelock for CVE fixes #1203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
EItanya merged 3 commits into from
Jan 16, 2026
Merged

security: pin urllib3 and filelock for CVE fixes #1203

EItanya merged 3 commits into from
Jan 16, 2026
+3 −0

Conversation

@boshu2
Copy link
Contributor

@boshu2 boshu2 commented Jan 12, 2026

Summary

Pin minimum versions of transitive dependencies to address high-severity CVEs:

CVE Library Severity Fixed In
CVE-2025-66418 urllib3 High (8.9) 2.6.0
CVE-2025-66471 urllib3 High (8.9) 2.6.0
CVE-2025-68146 filelock Medium (6.3) 3.20.1

urllib3 vulnerabilities (CVE-2025-66418, CVE-2025-66471)

  • Unbounded decompression chain: Malicious server can cause DoS via unlimited compression steps
  • Streaming decompression bomb: Can exhaust memory/CPU with highly compressed data
  • Affects versions >=1.24, <2.6.0

filelock vulnerability (CVE-2025-68146)

  • TOCTOU race condition: Symlink attacks during lock file creation can corrupt/truncate arbitrary files
  • Affects all versions before 3.20.1

Why explicit pins?

These are transitive dependencies that may be pulled in at vulnerable versions without explicit pins, depending on resolver order and other package constraints. Pinning ensures kagent-adk installations always get patched versions.

Changes

  • python/packages/kagent-adk/pyproject.toml: Added minimum version pins for urllib3 and filelock

Test plan

  • Verify uv lock resolves with pinned versions
  • Existing tests pass

@boshu2
security: pin urllib3 and filelock for CVE fixes
02aa722 
Pin minimum versions of transitive dependencies to address:

- urllib3>=2.6.0: CVE-2025-66418 (unbounded decompression chain, CVSS 8.9)
                  CVE-2025-66471 (streaming decompression bomb, CVSS 8.9)
- filelock>=3.20.1: CVE-2025-68146 (TOCTOU symlink race condition, CVSS 6.3)

These are transitive dependencies that may be pulled in at vulnerable versions
without explicit pins. The fixes ensure kagent-adk installations get patched
versions regardless of resolver order.

References:
- https://nvd.nist.gov/vuln/detail/CVE-2025-66418
- https://nvd.nist.gov/vuln/detail/CVE-2025-66471
- GHSA-w853-jp5j-5j7f

Signed-off-by: Boden Fuller <boden.fuller@gmail.com>
felipefrocha
felipefrocha suggested changes Jan 14, 2026
View reviewed changes
python/packages/kagent-adk/pyproject.toml Outdated
"jsonref>=1.1.0",
"a2a-sdk>=0.3.22",
# Security: pin minimum versions for CVE fixes in transitive dependencies
"urllib3>=2.6.0", # CVE-2025-66418, CVE-2025-66471: unbounded decompression DoS
Copy link

@felipefrocha felipefrocha Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not 2.6.3 already?

Copy link
Contributor Author

@boshu2 boshu2 Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point - updated to >=2.6.3. Thanks for the review!

@felipefrocha felipefrocha mentioned this pull request Jan 14, 2026
Open
@boshu2
chore: bump urllib3 minimum to 2.6.3 per review feedback
473b5e8 
Signed-off-by: Boden Fuller <boden.fuller@gmail.com>
@EItanya
Copy link
Contributor

EItanya commented Jan 16, 2026

Hey there, you will need to merge with main and then I can merge

@boshu2
merge: sync with upstream main
dbde79c 
Resolved conflict in pyproject.toml by keeping both:
- Security pins for urllib3 and filelock (CVE fixes)
- New boto3 dependency from upstream

Signed-off-by: Boden Fuller <boden.fuller@gmail.com>
@boshu2
Copy link
Contributor Author

boshu2 commented Jan 16, 2026

Branch synced with upstream main. All checks passing:

  • ✅ Merged with main (resolved pyproject.toml conflict)
  • ✅ DCO signed
  • ✅ Snyk security scan passed
  • ✅ label-by-files passed
  • ✅ Isolation maintained (single file, security scope)
  • ✅ No divergence conflicts

Ready for merge.

@boshu2 boshu2 requested a review from felipefrocha January 16, 2026 16:26
@EItanya EItanya enabled auto-merge (squash) January 16, 2026 18:39
@EItanya EItanya merged commit 4d412a8 into kagent-dev:main Jan 16, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EItanya EItanya EItanya approved these changes

@peterj peterj Awaiting requested review from peterj peterj is a code owner

@yuval-k yuval-k Awaiting requested review from yuval-k yuval-k is a code owner

@felipefrocha felipefrocha Awaiting requested review from felipefrocha

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@boshu2 @EItanya @felipefrocha