[Aikido] Fix 33 critical issues in matplotlib, streamlit, transformers and 10 more

[aikido-autofix]

Upgrade dependencies to fix critical RCE vulnerabilities in fontTools arbitrary file write, matplotlib code execution via eval(), and urllib3 decompression bomb DoS attacks.

⚠️ Incomplete breaking changes analysis (5/13 analyzed)

⚠️ Breaking changes analysis not available for: streamlit, transformers, torch, fonttools, protobuf, pillow, filelock, tornado

✅ Based on the codebase analysis, the package upgrades do not introduce breaking changes that affect this codebase:

Python Version Compatibility: The project requires python = ">=3.10,<3.14" in pyproject.toml. The following packages drop Python 3.8 or 3.9 support, but this does not affect the codebase since it already requires Python 3.10+:

• fonttools (drops 3.8, requires 3.9+)

• pygments (drops 3.8)

• streamlit (drops 3.9 in 1.51.0)

• filelock (drops 3.9 in 3.20.0)

• requests (drops 3.9 in 2.33.0)

matplotlib: The codebase uses matplotlib.colormaps.get_cmap("tab20") in demo/app.py:462, which is unaffected by the cycler eval removal or pyparsing version bump.

streamlit: The codebase uses st.plotly_chart() with explicit use_container_width=True parameter in demo/app.py:1009, and only uses st.write() without kwargs. The deprecated features (st.bokeh_chart, st.experimental_user, experimental_query_params, add_rows, kwargs in st.vega_lite_chart) are not used in the codebase.

torch: The codebase imports torch in src/lex_graph/reference_finders/local_llm.py but only uses basic functionality (torch.dtype, torch.float16) that is unaffected by the breaking changes related to tensor operations, ONNX export, or inductor config variables.

requests: The codebase uses requests.get() and accesses response.headers["Content-Location"] in src/lex_graph/graph.py:156, which uses the standard requests library (not urllib3 directly), so the urllib3 breaking changes do not apply.

urllib3: No direct usage of urllib3.response.HTTPResponse, ContentDecoder, or deprecated methods like getheaders() was found in the codebase.

fonttools: No usage of fonttools-specific features affected by the breaking changes was found in the codebase.

All breaking changes by upgrading matplotlib from version 3.10.0 to 3.10.9 (CHANGELOG)

Version	Description
3.10.7	The minimum version of pyparsing has been updated to version 3.0
3.10.9	Security hardening validation of cyclers - Removing eval usage (may break code that relied on eval functionality in cyclers)
3.10.9	Security hardening in Latex and PS calls - Removing shell escapes (may break code that relied on shell escape functionality)

All breaking changes by upgrading requests from version 2.32.3 to 2.33.1 (CHANGELOG)

Version	Description
2.33.0	Dropped support for Python 3.9 following its end of support.

All breaking changes by upgrading urllib3 from version 2.3.0 to 2.6.3 (CHANGELOG)

Version	Description
2.6.0	The number of allowed chained encodings in the Content-Encoding header is now limited to 5, which may cause previously working requests with more than 5 chained encodings to fail.
2.6.0	The API of urllib3.response.ContentDecoder has changed, requiring updates to custom decompressors.
2.6.0	Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers.
2.6.0	Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default).

All breaking changes by upgrading pygments from version 2.19.1 to 2.20.0 (CHANGELOG)

Version	Description
2.20.0	Drop Python 3.8 as a supported version

✅ 33 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-66034	🚨 CRITICAL	[fonttools] An arbitrary file write vulnerability in the varLib module allows remote code execution when processing malicious .designspace files, enabling attackers to write files to arbitrary locations on the system.
AIKIDO-2026-10536	HIGH	[matplotlib] A vulnerability in validate_cycler() allows arbitrary code execution through unsafe eval() parsing of the axes.prop_cycle rcParam string from configuration files or styles. Additionally, external tools (LaTeX, dvips, Ghostscript) in the PGF, LaTeX, and PostScript pipelines were susceptible to shell escape attacks.
CVE-2025-66418	HIGH	[urllib3] An unbounded decompression chain vulnerability allows malicious servers to insert unlimited compression steps, causing excessive CPU usage and memory allocation. This leads to denial of service through resource exhaustion.
CVE-2025-66471	HIGH	[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441	HIGH	[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2025-50181	MEDIUM	[urllib3] A vulnerability allows disabling redirects for all requests through improper PoolManager instantiation with retries configuration, potentially bypassing SSRF and open redirect mitigations. Applications relying on disabled redirects to prevent these vulnerabilities remain exposed to attacks.
CVE-2025-50182	MEDIUM	[urllib3] A vulnerability allows uncontrolled HTTP redirects in browser and Node.js environments when using Pyodide, as redirect control parameters are ignored by the runtime. This could enable open redirect attacks or redirect-based security bypasses.
CVE-2026-0994	HIGH	[protobuf] ParseDict() fails to properly track recursion depth when handling nested Any messages, allowing attackers to bypass the max_recursion_depth limit and trigger a RecursionError, causing denial of service.
CVE-2026-25990	HIGH	[pillow] is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
CVE-2026-40192	HIGH	[pillow] A decompression bomb vulnerability in FITS image decoding allows unbounded GZIP decompression, enabling attackers to cause denial of service through excessive memory consumption via specially crafted FITS files.
AIKIDO-2025-10201	HIGH	[streamlit] The file_uploader widget fails to validate file type restrictions on the server side, allowing attackers to bypass client-side restrictions and upload arbitrary files. This vulnerability enables unauthorized file uploads that could lead to remote code execution or other malicious activities.
CVE-2026-33682	MEDIUM	[streamlit] Unauthenticated Server-Side Request Forgery (SSRF) vulnerability on Windows allows attackers to supply malicious UNC paths that trigger outbound SMB connections, potentially exposing NTLMv2 credentials for relay attacks. The flaw stems from improper filesystem path validation before resolution.
CVE-2025-68146	MEDIUM	[filelock] A TOCTOU race condition in lock file creation allows local attackers to corrupt or truncate arbitrary files via symlink attacks on Unix, Linux, macOS, and Windows. Attackers can exploit the time gap between file existence checks and file opening to redirect writes to victim files.
CVE-2026-22701	MEDIUM	[filelock] A TOCTOU race condition in SoftFileLock allows local attackers to create symlinks between permission validation and file creation, causing lock operations to fail or operate on unintended targets. This can lead to denial of service or unexpected lock behavior.
CVE-2025-2099	LOW	[transformers] The preprocess_string() function in the testing utilities module contains a Regular Expression Denial of Service (ReDoS) vulnerability with nested quantifiers that causes exponential backtracking. An attacker can exploit this with specially crafted input to trigger high CPU usage and application downtime.
CVE-2025-6638	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in MarianTokenizer's remove_language_code() method allows attackers to cause excessive CPU consumption through crafted malformed language code patterns, resulting in denial of service.
CVE-2025-6921	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the AdamWeightDecay optimizer allows malicious regex patterns in weight decay configuration lists to cause catastrophic backtracking, resulting in 100% CPU utilization and service denial.
CVE-2025-3777	LOW	[transformers] Improper URL validation in image utilities allows attackers to bypass domain checks through username injection, enabling crafted URLs to redirect to malicious domains for phishing, malware distribution, or data exfiltration attacks.
CVE-2025-1194	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the GPT-NeoX-Japanese tokenizer causes exponential regex backtracking on specially crafted inputs, leading to high CPU usage and potential application downtime.
CVE-2025-3263	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the configuration file retrieval function allows attackers to cause excessive CPU consumption through crafted input strings, leading to service disruption and resource exhaustion.
CVE-2025-3264	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the get_imports() function allows attackers to cause excessive CPU consumption through crafted input, leading to resource exhaustion and service disruption.
CVE-2025-3933	LOW	[transformers] A ReDoS vulnerability in the DonutProcessor's token2json() method allows attackers to cause excessive CPU consumption through crafted input strings, leading to denial of service and resource exhaustion.
CVE-2025-5197	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the weight name conversion function allows attackers to cause excessive CPU consumption through crafted input strings, leading to service disruption and resource exhaustion.
CVE-2025-6051	LOW	[transformers] A Regular Expression Denial of Service (ReDoS) vulnerability in the normalize_numbers() method allows attackers to cause excessive CPU consumption through crafted numeric input strings, leading to service disruption and resource exhaustion in text-to-speech and normalization tasks.
CVE-2025-3730	MEDIUM	[torch] The ctc_loss function in torch.nn.functional is vulnerable to denial of service through malicious input manipulation. This local attack vector can crash the application when processing untrusted models or data.
CVE-2025-2953	MEDIUM	[torch] A denial of service vulnerability exists in the mkldnn_max_pool2d function that can be exploited locally through malicious models. The vulnerability allows attackers to cause application crashes or resource exhaustion.
CVE-2026-25645	MEDIUM	[requests] The extract_zipped_paths() utility function uses predictable filenames when extracting zip archives to the temp directory, allowing local attackers to pre-create malicious files that get loaded instead of legitimate ones, resulting in arbitrary code execution.
CVE-2024-47081	MEDIUM	[requests] A URL parsing vulnerability allows maliciously-crafted URLs to leak .netrc credentials to third parties. This could enable credential theft and unauthorized access to authenticated services.
GHSA-78cv-mqj4-43f7	MEDIUM	[tornado] Insufficient validation of domain, path, and samesite cookie arguments allows semicolons, enabling attackers to inject arbitrary cookie attributes. This could lead to session hijacking or other cookie-based attacks.
CVE-2026-35536	MEDIUM	[tornado] In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
CVE-2026-31958	LOW	[tornado] Insufficient limits on multipart/form-data parts allow attackers to cause denial-of-service by sending requests with many parts that consume excessive parsing resources on the main thread.
CVE-2026-4539	LOW	[pygments] A regular expression denial of service (ReDoS) vulnerability exists in the AdlLexer function that can be exploited locally to cause inefficient processing and potential denial of service. The vulnerability requires local access to trigger the malicious input against the vulnerable regex pattern.
AIKIDO-2025-10325	LOW	[numpy] A heap buffer overflow vulnerability exists in the strings.find function due to incorrect memory allocation calculations, leading to out-of-bounds access. This can cause application crashes or potentially enable arbitrary code execution.