Skip to content

Security: 11 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)#702

Draft
nv-rag-cve-bot[bot] wants to merge 2 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260630-022149
Draft

Security: 11 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)#702
nv-rag-cve-bot[bot] wants to merge 2 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260630-022149

Conversation

@nv-rag-cve-bot

Copy link
Copy Markdown

Security: 11 CVE fixes for NSPECT-S62Q-PZUD (collection, 2 children)

nSpect: NSPECT-S62Q-PZUD (Foundational RAG Downloadable NIM Agent Blueprint)
Children: NSPECT-UV6I-R3V9 (Container), NSPECT-O8B9-SHZ8 (Helm Chart)
Severity scope: Critical + High
Track: A — pip-audit verified (0 vulnerabilities post-fix)
Validation: pipeline (§5b/§5c/§5d in CI)


CVEs addressed

Package CVE / GHSA Old version New version
aiohttp CVE-2026-50269 + cluster 3.13.5 3.14.1
cryptography GHSA-537c-gmf6-5ccf 48.0.0 49.0.0
starlette CVE-2026-54283 + cluster 0.50.0 1.3.1
python-multipart CVE-2026-53539 + cluster 0.0.29 0.0.32
langsmith GHSA-f4xh-w4cj-qxq8 0.8.5 0.9.3
langchain GHSA-gr75-jv2w-4656 1.3.1 1.3.11
langchain-openai PYSEC-2026-76 / CVE-2026-41488 1.1.7 1.3.3
openai (required by langchain-openai ≥1.1.14) 1.109.1 2.44.0
fastapi (required to unblock starlette 1.3.1) 0.128.0 0.138.2
bleach GHSA-gj48-438w-jh9v + cluster 6.3.0 6.4.0
pyarrow PYSEC-2026-113 / CVE-2026-25087 21.0.0 24.0.0
pydantic-settings GHSA-4xgf-cpjx-pc3j 2.12.0 2.14.2
langgraph-sdk CVE-2026-48776 0.3.3 0.4.2

Changes

  • pyproject.toml — 15 constraint edits + 3 new override-dependencies
  • uv.lock — regenerated (16 packages updated)
  • tests/unit/test_security_dependency_pins.py — 11 new version-pin regression tests

Cascade notes

  • starlette 1.3.1: requires fastapi ≥0.135.0 (removes starlette upper cap) + new starlette>=1.3.1 override-dep.
  • openai v2: required by langchain-openai ≥1.1.14. Verified: repo uses only client-based AsyncOpenAI/OpenAI API — unchanged in v2.
  • pyarrow upper cap removed: was <22.0; safe — repo uses only stable pa.* APIs.

Expert review (Phase 6)

All five reviewers approved after two minor fixes:

  • R4: removed incidental pytest dev-group added by uv add --dev
  • R5: added pyarrow version-pin test (PYSEC-2026-113)

Validation

Step Status Notes
§5a-repro (pip-audit pre-fix) ✅ confirmed All 11 CVE clusters present
§5a re-scan (pip-audit post-fix) ✅ 0 vulnerabilities exit 0
§5a-sweep (full sweep) ✅ 0 vulnerabilities
§5b unit tests ⏳ pending CI gating job: unit-tests
§5c lint / static analysis ⏳ pending CI gating job: static-analysis
§5d smoke test / docker ⏳ pending CI gating job: docker-tests chain (--ci-wait-gpu)
frontend unit tests ⏳ pending CI gating job: frontend-unit-tests

CI gating: unit-tests, frontend-unit-tests, static-analysis + full docker-tests chain (--ci-wait-gpu). Poll timeout: 55 min. This PR stays draft until CI is green.

Deferred

Container-only CVEs (CVE-2026-6100, CVE-2026-11940/11972, CVE-2026-9669, CVE-2026-45447) affect the base image. Re-run with --include-base-image to fix via Dockerfile base bump.

Stale scripts/requirements.txt pin (aiohttp==3.12.14) — update separately.


NVBugs update: disabled (--no-nvbugs-update)
Report: cve-fix-reports/NSPECT-S62Q-PZUD-20260630-022149/ (local workspace, not committed)
Generated-by: agentic-cve-fix

NVIDIA RAG Security Bot added 2 commits June 30, 2026 02:27
aiohttp >=3.14.1 (CVE-2026-50269 cluster), cryptography >=48.0.1
(GHSA-537c-gmf6-5ccf), starlette >=1.3.1 (CVE-2026-54283 cluster),
python-multipart >=0.0.31 (CVE-2026-53539 cluster), langsmith >=0.8.18
(GHSA-f4xh-w4cj-qxq8), langchain >=1.3.9 (GHSA-gr75-jv2w-4656),
langchain-openai >=1.1.14 / openai >=2.26.0 (PYSEC-2026-76),
bleach >=6.4.0 (GHSA-gj48-438w-jh9v), pyarrow >=23.0.1
(PYSEC-2026-113), pydantic-settings >=2.14.2 (GHSA-4xgf-cpjx-pc3j),
langgraph-sdk >=0.3.15 (CVE-2026-48776). Also bumps fastapi >=0.135.0
to unblock starlette 1.3.1. pip-audit post-fix: 0 vulnerabilities.

Refs: NSPECT-S62Q-PZUD (collection)
Refs: NSPECT-UV6I-R3V9 (container child)
Refs: NSPECT-O8B9-SHZ8 (helm chart child)
Generated-by: agentic-cve-fix
Signed-off-by: NVIDIA RAG <foundational-rag-dev@exchange.nvidia.com>
Adds regression guards for all 11 CVE clusters addressed in the
preceding manifest bump: aiohttp, cryptography, starlette,
python-multipart, langsmith, langchain, langchain-openai, bleach,
pyarrow, pydantic-settings, langgraph-sdk. All 18 tests in the
security-pins suite pass (including 7 pre-existing guards).

Refs: NSPECT-S62Q-PZUD (collection)
Generated-by: agentic-cve-fix
Signed-off-by: NVIDIA RAG <foundational-rag-dev@exchange.nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants