Skip to content

Security/upgrade requests urllib3 CVE fix#894

Merged
mayankmendix merged 3 commits into
mendix:developfrom
bhavinshah-mendix:security/upgrade-requests-urllib3-CVE-fix
May 25, 2026
Merged

Security/upgrade requests urllib3 CVE fix#894
mayankmendix merged 3 commits into
mendix:developfrom
bhavinshah-mendix:security/upgrade-requests-urllib3-CVE-fix

Conversation

@bhavinshah-mendix

Copy link
Copy Markdown
Collaborator

No description provided.

bhavinshah-mendix and others added 3 commits May 25, 2026 14:29
Fixes high-severity CVEs:
- CVE-2026-25645 (requests): Fixed in 2.33.0+
- GHSA-mf9v-mfxr-j63j (urllib3): Streaming API decompression issue
- GHSA-qccp-gfcp-xxvc (urllib3): Cross-origin redirect header leakage

Changes:
- requests: 2.32.5 → 2.34.2
- urllib3: 2.6.3 → 2.7.0
- charset-normalizer: 2.0.3 → 3.4.7 (transitive)
- idna: 3.10 → 3.15 (transitive)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
   - CVE-2026-25645 (requests): Fixed in 2.33.0+
   - GHSA-mf9v-mfxr-j63j (urllib3): Streaming API decompression issue
   - GHSA-qccp-gfcp-xxvc (urllib3): Cross-origin redirect header leakage
@mayankmendix
mayankmendix merged commit ef8bec4 into mendix:develop May 25, 2026
26 checks passed
mayankmendix added a commit that referenced this pull request May 28, 2026
* added the metering code

* added logging

* added the sap metering sidecar

* updated the auth token usage

* updated the comments

* updated the env vars

* fix: update cryptography to 46.0.7 to address CVE-2026-39892

- Updated cryptography from 46.0.5 to 46.0.7
- Fixes buffer overflow vulnerability in non-contiguous buffer handling
- Regenerated requirements.txt with Python 3.10
- All unit tests passing (184 passed)
- All linting checks passing

* Bumped the cryptography module version to latest 47.0.0

* Fix CVE-2026-25645 and CVE-2026-34073 by upgrading requests and cryptography

Updated requests from 2.32.5 to 2.33.1 to address CVE-2026-25645.
Updated cryptography from 46.0.5 to 47.0.0 to address CVE-2026-34073.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Security/upgrade requests urllib3 CVE fix (#894)

* Security: Upgrade requests to 2.34.2 and urllib3 to 2.7.0

Fixes high-severity CVEs:
- CVE-2026-25645 (requests): Fixed in 2.33.0+
- GHSA-mf9v-mfxr-j63j (urllib3): Streaming API decompression issue
- GHSA-qccp-gfcp-xxvc (urllib3): Cross-origin redirect header leakage

Changes:
- requests: 2.32.5 → 2.34.2
- urllib3: 2.6.3 → 2.7.0
- charset-normalizer: 2.0.3 → 3.4.7 (transitive)
- idna: 3.10 → 3.15 (transitive)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Fixes high-severity CVEs:
   - CVE-2026-25645 (requests): Fixed in 2.33.0+
   - GHSA-mf9v-mfxr-j63j (urllib3): Streaming API decompression issue
   - GHSA-qccp-gfcp-xxvc (urllib3): Cross-origin redirect header leakage

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: bhavin.shah <bhavin.shah@mendix.com>
Co-authored-by: priyal.chawda@mendix.com <priyal.chawda@mendix.com>
Co-authored-by: Piyush <piyush.tiwari@mendix.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Bhavin Shah <162097397+bhavinshah-mendix@users.noreply.github.com>
mayankmendix added a commit that referenced this pull request May 29, 2026
* added the metering code

* added logging

* added the sap metering sidecar

* updated the auth token usage

* updated the comments

* updated the env vars

* fix: update cryptography to 46.0.7 to address CVE-2026-39892

- Updated cryptography from 46.0.5 to 46.0.7
- Fixes buffer overflow vulnerability in non-contiguous buffer handling
- Regenerated requirements.txt with Python 3.10
- All unit tests passing (184 passed)
- All linting checks passing

* Bumped the cryptography module version to latest 47.0.0

* Fix CVE-2026-25645 and CVE-2026-34073 by upgrading requests and cryptography

Updated requests from 2.32.5 to 2.33.1 to address CVE-2026-25645.
Updated cryptography from 46.0.5 to 47.0.0 to address CVE-2026-34073.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Security/upgrade requests urllib3 CVE fix (#894)

* Security: Upgrade requests to 2.34.2 and urllib3 to 2.7.0

Fixes high-severity CVEs:
- CVE-2026-25645 (requests): Fixed in 2.33.0+
- GHSA-mf9v-mfxr-j63j (urllib3): Streaming API decompression issue
- GHSA-qccp-gfcp-xxvc (urllib3): Cross-origin redirect header leakage

Changes:
- requests: 2.32.5 → 2.34.2
- urllib3: 2.6.3 → 2.7.0
- charset-normalizer: 2.0.3 → 3.4.7 (transitive)
- idna: 3.10 → 3.15 (transitive)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Fixes high-severity CVEs:
   - CVE-2026-25645 (requests): Fixed in 2.33.0+
   - GHSA-mf9v-mfxr-j63j (urllib3): Streaming API decompression issue
   - GHSA-qccp-gfcp-xxvc (urllib3): Cross-origin redirect header leakage

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: bhavin.shah <bhavin.shah@mendix.com>
Co-authored-by: priyal.chawda@mendix.com <priyal.chawda@mendix.com>
Co-authored-by: Piyush <piyush.tiwari@mendix.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Bhavin Shah <162097397+bhavinshah-mendix@users.noreply.github.com>
mayankmendix added a commit that referenced this pull request Jul 17, 2026
* added the metering code

* added logging

* added the sap metering sidecar

* updated the auth token usage

* updated the comments

* updated the env vars

* fix: update cryptography to 46.0.7 to address CVE-2026-39892

- Updated cryptography from 46.0.5 to 46.0.7
- Fixes buffer overflow vulnerability in non-contiguous buffer handling
- Regenerated requirements.txt with Python 3.10
- All unit tests passing (184 passed)
- All linting checks passing

* Bumped the cryptography module version to latest 47.0.0

* Fix CVE-2026-25645 and CVE-2026-34073 by upgrading requests and cryptography

Updated requests from 2.32.5 to 2.33.1 to address CVE-2026-25645.
Updated cryptography from 46.0.5 to 47.0.0 to address CVE-2026-34073.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Security/upgrade requests urllib3 CVE fix (#894)

* Security: Upgrade requests to 2.34.2 and urllib3 to 2.7.0

Fixes high-severity CVEs:
- CVE-2026-25645 (requests): Fixed in 2.33.0+
- GHSA-mf9v-mfxr-j63j (urllib3): Streaming API decompression issue
- GHSA-qccp-gfcp-xxvc (urllib3): Cross-origin redirect header leakage

Changes:
- requests: 2.32.5 → 2.34.2
- urllib3: 2.6.3 → 2.7.0
- charset-normalizer: 2.0.3 → 3.4.7 (transitive)
- idna: 3.10 → 3.15 (transitive)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Fixes high-severity CVEs:
   - CVE-2026-25645 (requests): Fixed in 2.33.0+
   - GHSA-mf9v-mfxr-j63j (urllib3): Streaming API decompression issue
   - GHSA-qccp-gfcp-xxvc (urllib3): Cross-origin redirect header leakage

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

* (fix) add typing extension lib (#898)

* Update requirements.txt

* Update requirements.in

* Expand static files caching (#901)

Support static files caching

* Security: Fix CVE-2026-45409 (idna) and GHSA-537c-gmf6-5ccf (cryptogr… (#902)

Security: Fix CVE-2026-45409 (idna) and GHSA-537c-gmf6-5ccf (cryptography)

Upgrades dependencies to address high-severity vulnerabilities:
- cryptography 47.0.0 → 48.0.1: Fixes vulnerable OpenSSL in wheels
- idna 3.10 → 3.15: Fixes DoS vulnerability in IDNA encoding

CVE-2026-45409: idna versions prior to 3.15 were vulnerable to DoS
attacks via specially crafted inputs to idna.encode() function.

GHSA-537c-gmf6-5ccf: cryptography wheels prior to 48.0.1 included
a statically linked copy of OpenSSL with security vulnerabilities.

---------

Co-authored-by: bhavin.shah <bhavin.shah@mendix.com>
Co-authored-by: priyal.chawda@mendix.com <priyal.chawda@mendix.com>
Co-authored-by: Piyush <piyush.tiwari@mendix.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Co-authored-by: Bhavin Shah <162097397+bhavinshah-mendix@users.noreply.github.com>
Co-authored-by: Sanny Ramirez <sai.ramirez.umak@gmail.com>
Co-authored-by: EnasAbdelrazek <96430281+EnasAbdelrazek@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants