[Aikido] Fix 32 critical issues in streamlit, transformers, torch and 9 more

[aikido-autofix]

Upgrade dependencies to fix critical RCE in fontTools, high-severity DoS and decompression bomb vulnerabilities in urllib3, and protobuf recursion bypass. This update includes breaking changes that require manual migration.

⚠️ Incomplete breaking changes analysis (4/12 analyzed)

⚠️ Breaking changes analysis not available for: streamlit, transformers, torch, fonttools, protobuf, pillow, filelock, tornado

⚠️ ## streamlit (1.41.1 => 1.54.0)

Breaking Change: Python 3.9 Support Dropped (v1.51.0)

• Where your code is affected: pyproject.toml line 8

• Impact: The project currently requires python = ">=3.10,<3.15", which already excludes Python 3.9, so this breaking change does not affect the codebase.

• Remediation: No action needed - project already requires Python 3.10+.

Breaking Change: Default use_container_width=True for st.dataframe (v1.43.0)

• Where your code is affected: demo/app.py lines 565-567 and 573

• Impact: Two st.dataframe() calls do not explicitly set use_container_width, so they will now default to True instead of False, causing the dataframes to expand to fill the container width instead of using their natural width.

• Remediation: If the current width behavior is desired, explicitly set use_container_width=False in both st.dataframe() calls.

requests (2.32.3 => 2.33.0)

Breaking Change: Python 3.9 Support Dropped

• Where your code is affected: pyproject.toml line 8, src/lex_graph/graph.py line 4

• Impact: The project already requires Python 3.10+, so this breaking change does not affect the codebase.

• Remediation: No action needed - project already requires Python 3.10+.

torch (2.6.0 => 2.8.0)

Breaking Change: torch.dtype parameter usage

• Where your code is affected: src/lex_graph/reference_finders/local_llm.py line 13

• Impact: The torch_dtype parameter is used with torch.float16 as default value and passed to AutoModelForCausalLM.from_pretrained(). While the parameter itself is not directly affected by breaking changes, the underlying behavior may change.

• Remediation: Verify that the model loading with torch_dtype=torch.float16 still works correctly after the upgrade, particularly with the new manylinux_2_28 and CXX11_ABI=1 changes.

All breaking changes by upgrading requests from version 2.32.3 to 2.33.1 (CHANGELOG)

Version	Description
2.33.0	Dropped support for Python 3.9 following its end of support.

All breaking changes by upgrading urllib3 from version 2.3.0 to 2.6.3 (CHANGELOG)

Version	Description
2.6.0	The number of allowed chained encodings in the Content-Encoding header is now limited to 5, which may cause previously working requests with more than 5 chained encodings to fail.
2.6.0	The API of urllib3.response.ContentDecoder has changed, requiring updates to custom decompressors.
2.6.0	Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
2.6.0	Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default).

All breaking changes by upgrading pygments from version 2.19.1 to 2.20.0 (CHANGELOG)

Version	Description
2.20.0	Drop Python 3.8 as a supported version

✅ 32 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-66034	🚨 CRITICAL	[fonttools] An arbitrary file write vulnerability in the varLib module allows remote code execution when processing malicious .designspace files, enabling attackers to write files to arbitrary locations on the system.
CVE-2025-66418	HIGH	[urllib3] An unbounded decompression chain vulnerability allows malicious servers to insert unlimited compression steps, causing excessive CPU usage and memory allocation. This leads to denial of service through resource exhaustion.
CVE-2025-66471	HIGH	[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441	HIGH	[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2025-50181	MEDIUM	[urllib3] A vulnerability allows disabling redirects for all requests through improper PoolManager instantiation with retries configuration, potentially bypassing SSRF and open redirect mitigations. Applications relying on disabled redirects to prevent these vulnerabilities remain exposed to attacks.
CVE-2025-50182	MEDIUM	[urllib3] A vulnerability allows uncontrolled HTTP redirects in browser and Node.js environments when using Pyodide, as redirect control parameters are ignored by the runtime. This could enable open redirect attacks or redirect-based security bypasses.
CVE-2026-0994	HIGH	[protobuf] ParseDict() fails to properly track recursion depth when handling nested Any messages, allowing attackers to bypass the max_recursion_depth limit and trigger a RecursionError, causing denial of service.
CVE-2026-25990	HIGH	[pillow] is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
CVE-2026-40192	HIGH	[pillow] A decompression bomb vulnerability in FITS image decoding allows unbounded GZIP decompression, enabling attackers to cause denial of service through excessive memory consumption via specially crafted FITS files.
AIKIDO-2025-10201	HIGH	[streamlit] The file_uploader widget fails to validate file type restrictions on the server side, allowing attackers to bypass client-side restrictions and upload arbitrary files. This vulnerability enables unauthorized file uploads that could lead to remote code execution or other malicious activities.
CVE-2026-33682	MEDIUM	[streamlit] Unauthenticated Server-Side Request Forgery (SSRF) vulnerability on Windows allows attackers to supply malicious UNC paths that trigger outbound SMB connections, potentially exposing NTLMv2 credentials for relay attacks. The flaw stems from improper filesystem path validation before resolution.
CVE-2025-68146	MEDIUM	[filelock] A TOCTOU race condition in lock file creation allows local attackers to corrupt or truncate arbitrary files via symlink attacks on Unix, Linux, macOS, and Windows. Attackers can exploit the time gap between file existence checks and file opening to redirect writes to victim files.
CVE-2026-22701	MEDIUM	[filelock] A TOCTOU race condition in SoftFileLock allows local attackers to create symlinks between permission validation and file creation, causing lock operations to fail or operate on unintended targets. This can lead to denial of service or unexpected lock behavior.
CVE-2025-2099	LOW	[transformers] The preprocess_string() function in the testing utilities module contains a Regular Expression Denial of Service (ReDoS) vulnerability with nested quantifiers that causes exponential backtracking. An attacker can exploit this with specially crafted input to trigger high CPU usage and application downtime.
CVE-2025-6638	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in MarianTokenizer's remove_language_code() method allows attackers to cause excessive CPU consumption through crafted malformed language code patterns, resulting in denial of service.
CVE-2025-6921	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the AdamWeightDecay optimizer allows malicious regex patterns in weight decay configuration lists to cause catastrophic backtracking, resulting in 100% CPU utilization and service denial.
CVE-2025-3777	LOW	[transformers] Improper URL validation in image utilities allows attackers to bypass domain checks through username injection, enabling crafted URLs to redirect to malicious domains for phishing, malware distribution, or data exfiltration attacks.
CVE-2025-1194	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the GPT-NeoX-Japanese tokenizer causes exponential regex backtracking on specially crafted inputs, leading to high CPU usage and potential application downtime.
CVE-2025-3263	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the configuration file retrieval function allows attackers to cause excessive CPU consumption through crafted input strings, leading to service disruption and resource exhaustion.
CVE-2025-3264	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the get_imports() function allows attackers to cause excessive CPU consumption through crafted input, leading to resource exhaustion and service disruption.
CVE-2025-3933	LOW	[transformers] A ReDoS vulnerability in the DonutProcessor's token2json() method allows attackers to cause excessive CPU consumption through crafted input strings, leading to denial of service and resource exhaustion.
CVE-2025-5197	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the weight name conversion function allows attackers to cause excessive CPU consumption through crafted input strings, leading to service disruption and resource exhaustion.
CVE-2025-6051	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the normalize_numbers() method allows attackers to cause excessive CPU consumption through crafted numeric input strings, leading to service disruption and resource exhaustion in text-to-speech and normalization tasks.
CVE-2025-3730	MEDIUM	[torch] The ctc_loss function in torch.nn.functional is vulnerable to denial of service through malicious input manipulation. This local attack vector can crash the application when processing untrusted models or data.
CVE-2025-2953	MEDIUM	[torch] A denial of service vulnerability exists in the mkldnn_max_pool2d function that can be exploited locally through malicious models. The vulnerability allows attackers to cause application crashes or resource exhaustion.
CVE-2026-25645	MEDIUM	[requests] The extract_zipped_paths() utility function uses predictable filenames when extracting zip archives to the temp directory, allowing local attackers to pre-create malicious files that get loaded instead of legitimate ones, resulting in arbitrary code execution.
CVE-2024-47081	MEDIUM	[requests] A URL parsing vulnerability allows maliciously-crafted URLs to leak .netrc credentials to third parties. This could enable credential theft and unauthorized access to authenticated services.
GHSA-78cv-mqj4-43f7	MEDIUM	[tornado] Insufficient validation of domain, path, and samesite cookie arguments allows semicolons, enabling attackers to inject arbitrary cookie attributes. This could lead to session hijacking or other cookie-based attacks.
CVE-2026-35536	MEDIUM	[tornado] In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
CVE-2026-31958	LOW	[tornado] Insufficient limits on multipart/form-data parts allow attackers to cause denial-of-service by sending requests with many parts that consume excessive parsing resources on the main thread.
CVE-2026-4539	LOW	[pygments] A regular expression denial of service (ReDoS) vulnerability exists in the AdlLexer function that can be exploited locally to cause inefficient processing and potential denial of service. The vulnerability requires local access to trigger the malicious input against the vulnerable regex pattern.
AIKIDO-2025-10325	LOW	[numpy] A heap buffer overflow vulnerability exists in the strings.find function due to incorrect memory allocation calculations, leading to out-of-bounds access. This can cause application crashes or potentially enable arbitrary code execution.

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #15