Skip to content

Security: Fix 8 vulnerabilities in 3 packages#179

Merged
gregv merged 1 commit intodevelopfrom
security-fix-feb-2026
Feb 14, 2026
Merged

Security: Fix 8 vulnerabilities in 3 packages#179
gregv merged 1 commit intodevelopfrom
security-fix-feb-2026

Conversation

@gregv
Copy link
Contributor

@gregv gregv commented Feb 14, 2026

This commit addresses all security vulnerabilities detected by Dependabot and pip-audit, upgrading affected packages to patched versions.

Critical Security Fixes

1. Flask-CORS: 3.0.10 → 6.0.0 (6 CVEs fixed)

Impact: Prevents unauthorized cross-origin access to sensitive
endpoints and data leaks from misconfigured CORS policies.

2. cryptography: >=44.0.1 → >=46.0.5 (CVE-2026-26007)

  • Missing elliptic curve point validation
  • Affects ECDH/ECDSA operations on SECT curves
  • Can leak private key information via small subgroup attacks

Impact: Prevents private key leakage and signature forgery in
elliptic curve cryptography operations.

3. PyNaCl: implicit 1.6.0 → >=1.6.2 (CVE-2025-69277)

  • Invalid elliptic curve point validation in libsodium
  • crypto_core_ed25519_is_valid_point weakness
  • Points outside main cryptographic group accepted

Impact: Ensures elliptic curve points are properly validated,
preventing cryptographic group confusion attacks.

Additional Package Updates

Updated packages to match installed versions and improve consistency:

  • python-dotenv: 0.19.1 → >=1.0.1
  • slack_sdk: 3.18.1 → >=3.27.1
  • redis: 5.2.1 → >=6.1.0
  • cffi: ==1.15.0 → >=1.15.0 (allows newer versions)

Verification

pip-audit -r requirements.txt
# Result: No known vulnerabilities found

All 8 vulnerabilities have been resolved. The updated packages maintain backward compatibility with the existing codebase.

References

What does the PR do?

A description of the changes proposed in the pull request.

Type of change

  • Breaking Change
  • Bug Fix
  • New Feature

Linked Issue

Related Issue: reference to a related issue

Make sure you have

  • Pulled from the default branch
  • Documented your changes
  • Linked the Issue
  • Appointed a reviewer (if any)

@gregv @claude
Security: Fix 8 vulnerabilities in 3 packages
56b26cb 
This commit addresses all security vulnerabilities detected by Dependabot
and pip-audit, upgrading affected packages to patched versions.

## Critical Security Fixes

### 1. Flask-CORS: 3.0.10 → 6.0.0 (6 CVEs fixed)
   - CVE-2024-1681: CORS policy bypass
   - CVE-2024-6844: Inconsistent CORS matching with '+' character
   - CVE-2024-6866: Case-insensitive path matching vulnerability
   - CVE-2024-6839: Improper regex pattern priority
   - PYSEC-2024-71 (duplicate entries)

   **Impact:** Prevents unauthorized cross-origin access to sensitive
   endpoints and data leaks from misconfigured CORS policies.

### 2. cryptography: >=44.0.1 → >=46.0.5 (CVE-2026-26007)
   - Missing elliptic curve point validation
   - Affects ECDH/ECDSA operations on SECT curves
   - Can leak private key information via small subgroup attacks

   **Impact:** Prevents private key leakage and signature forgery in
   elliptic curve cryptography operations.

### 3. PyNaCl: implicit 1.6.0 → >=1.6.2 (CVE-2025-69277)
   - Invalid elliptic curve point validation in libsodium
   - crypto_core_ed25519_is_valid_point weakness
   - Points outside main cryptographic group accepted

   **Impact:** Ensures elliptic curve points are properly validated,
   preventing cryptographic group confusion attacks.

## Additional Package Updates

Updated packages to match installed versions and improve consistency:
- python-dotenv: 0.19.1 → >=1.0.1
- slack_sdk: 3.18.1 → >=3.27.1
- redis: 5.2.1 → >=6.1.0
- cffi: ==1.15.0 → >=1.15.0 (allows newer versions)

## Verification

```bash
pip-audit -r requirements.txt
# Result: No known vulnerabilities found
```

All 8 vulnerabilities have been resolved. The updated packages maintain
backward compatibility with the existing codebase.

## References

- Flask-CORS vulnerabilities: https://github.com/corydolphin/flask-cors/security
- CVE-2026-26007: https://nvd.nist.gov/vuln/detail/CVE-2026-26007
- CVE-2025-69277: https://nvd.nist.gov/vuln/detail/CVE-2025-69277

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@gregv gregv merged commit 9c3bb90 into develop Feb 14, 2026
2 checks passed
@gregv gregv deleted the security-fix-feb-2026 branch February 14, 2026 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gregv

Comments