[Bug]: Multiple Critical/High Security Vulnerabilities in Dependencies

[sami-marreed]

Bug Description

Multiple critical and high severity security vulnerabilities have been detected across Python and npm dependencies in the main project and example projects.

Python vulnerabilities:

• NLTK – Zip Slip Vulnerability (Critical) – uv.lock
• LangChain serialization injection (Critical) – enables secret extraction via dumps/loads APIs – detected in docs/examples/cuga_with_runtime_tools/uv.lock and docs/examples/cuga_as_mcp/uv.lock
• Pillow – out-of-bounds write loading PSD images (High) – uv.lock, docs/examples/cuga_with_runtime_tools/uv.lock, docs/examples/cuga_as_mcp/uv.lock
• urllib3 – decompression bomb when following HTTP redirects (High) – detected in docs/examples/demo_apps/file_system/uv.lock, docs/examples/demo_apps/email_mcp/mcp_server/uv.lock, docs/examples/demo_apps/crm/uv.lock, docs/examples/cuga_with_runtime_tools/uv.lock, docs/examples/cuga_as_mcp/uv.lock
• urllib3 – unbounded decompression chain links (High) – same set of lock files
• urllib3 – streaming API improperly handles highly compressed data (High) – same set of lock files

npm vulnerabilities (in src/frontend_workspaces/pnpm-lock.yaml):

• Rollup 4 – Arbitrary File Write via Path Traversal (High)
• basic-ftp – Path Traversal in downloadToDir() (Critical)
• minimatch – ReDoS via repeated wildcards (High) – multiple instances

Steps to Reproduce

1. Check GitHub Dependabot alerts
2. Upgrade affected Python dependencies via uv and npm dependencies via pnpm
3. Reinstall npm dependencies:

   cd src/frontend_workspaces
   pnpm install
   

4. Rebuild the frontend UI:

   cd src/frontend_workspaces/frontend
   sh build.sh
   

5. Rerun the agent to verify no regressions:
   • cuga start demo
   • cuga start demo_crm
   • cuga start manager
6. Verify all modes start and operate correctly

Expected Behavior

All dependencies should be updated to versions that patch the listed vulnerabilities. The application should continue to function correctly after upgrades — cuga start demo, cuga start demo_crm, and cuga start manager should all start and run without regressions. The frontend UI (rebuilt via sh build.sh in src/frontend_workspaces/frontend/) should also function correctly.

Actual Behavior

Dependabot has flagged critical and high severity vulnerabilities in both Python (uv.lock) and npm (pnpm-lock.yaml) lock files across the main project and multiple example projects under docs/examples/.

Environment

• Detected automatically by GitHub Dependabot
• Package managers: uv (Python), pnpm (Node/npm)
• Affects: uv.lock, pnpm-lock.yaml, and multiple example project lock files under docs/examples/

[sami-marreed]

@coderabbitai plan

[coderabbitai]

Coding Plan

Summary

• Use tool.uv.constraint-dependencies in the root pyproject.toml to enforce minimum versions for transitive Python dependencies (Pillow, urllib3)
• Regenerate all Python uv.lock files with uv lock --upgrade to pull patched versions
• Document NLTK CVE-2025-14009 as a known issue since no patched PyPI release exists
• Extend the existing pnpm overrides mechanism to force patched versions of rollup, basic-ftp, and minimatch across the frontend monorepo

Design Choices

Design Choice 1: NLTK CVE-2025-14009 remediation approach

Options Considered:

1. Wait for upstream NLTK to release a patched version and track this as a known issue
2. Install NLTK directly from GitHub master branch
3. Remove NLTK dependency entirely

Chosen Option: 1

Rationale: Document as a known issue since NLTK is a dev-only dependency (not runtime), installing from git master introduces instability risks, and removing it would break dev workflows. Will add a comment and track for future remediation.

Design Choice 2: Transitive dependency constraint mechanism for Python

Options Considered:

1. Add them as direct dependencies with version floors
2. Use tool.uv.constraint-dependencies to enforce minimum versions for transitive deps
3. Simply regenerate lock files and hope newer versions resolve

Chosen Option: 2

Rationale: Use tool.uv.constraint-dependencies as this is the idiomatic uv approach for enforcing transitive dependency floors without polluting the direct dependency list.

💡 User Tips

Regenerate the plan with different choices with @coderabbitai <feedback>.

Implementation Steps

Phase 1: Python Root Project Security Updates

This phase addresses vulnerabilities in the main project's Python dependencies by adding constraints for transitive dependencies and regenerating the lock file to pull patched versions.

Task 1: Add Transitive Dependency Constraints

Add uv constraint-dependencies to enforce minimum versions for vulnerable transitive dependencies.

• Update pyproject.toml to extend the [tool.uv] section with a constraint-dependencies list
• Add constraint pillow>=12.1.1 to address CVE-2026-25990 (PSD out-of-bounds write)
• Add constraint urllib3>=2.6.3 to address CVE-2025-66418, CVE-2025-66471, CVE-2025-50181, CVE-2025-50182, and CVE-2026-21441 (various decompression and redirect vulnerabilities)
• Note: langchain-core is already at 1.2.7 in root (safe, as CVE-2025-68664 requires >= 1.2.5)

Task 2: Regenerate Root Lock File

Regenerate the root uv.lock to resolve dependencies with the new constraints.

• Run uv lock --upgrade in the repository root to regenerate uv.lock
• This will pull Pillow 12.1.1+ and ensure urllib3 remains at 2.6.3+
• Verify the new lock file contains the expected patched versions

Task 3: Document NLTK Vulnerability Status

Document the NLTK vulnerability as a known issue since no upstream fix is available.

• Add a comment in pyproject.toml above the NLTK entry in [dependency-groups] dev noting CVE-2025-14009 status
• The comment should indicate: vulnerability exists, no PyPI fix available, NLTK is dev-only dependency, track upstream for patched release
• This provides visibility for future remediation when a patched version is released

🤖 Prompt for AI agents

This phase updates the root `pyproject.toml` to add uv constraint-dependencies
for vulnerable transitive Python dependencies, regenerates the root lock file,
and documents the NLTK known vulnerability.

- In `pyproject.toml`, extend the `[tool.uv]` section by adding a
`constraint-dependencies` list with the following entries:
  - `pillow>=12.1.1` (addresses CVE-2026-25990)
- `urllib3>=2.6.3` (addresses CVE-2025-66418, CVE-2025-66471, CVE-2025-50181,
CVE-2025-50182, CVE-2026-21441)
- In `pyproject.toml`, locate the NLTK entry under `[dependency-groups] dev` and
add a comment above it documenting CVE-2025-14009: note that the vulnerability
exists, no PyPI fix is available, NLTK is a dev-only dependency, and that the
upstream release should be tracked for a patched version
- Run `uv lock --upgrade` in the repository root to regenerate `uv.lock`
- Verify the regenerated `uv.lock` contains Pillow 12.1.1+ and urllib3 2.6.3+

Phase 2: Python Example Sub-Projects Lock File Updates

This phase regenerates lock files for all example sub-projects to pull updated transitive dependencies. Since these projects use editable path dependencies to the root cuga package, the constraint-dependencies added in Phase 1 will influence resolution.

Regenerate Example Project Lock Files

Regenerate uv.lock files for all example sub-projects that contain vulnerable dependencies.

• Run uv lock --upgrade in docs/examples/cuga_as_mcp/ to update langchain (0.3.26 → 1.2.5+), langchain-core (0.3.66 → 1.2.5+), Pillow (11.3.0 → 12.1.1+), and urllib3 (2.5.0 → 2.6.3+)
• Run uv lock --upgrade in docs/examples/cuga_with_runtime_tools/ to update langchain (0.3.27 → 1.2.5+), langchain-core (0.3.79 → 1.2.5+), Pillow (12.0.0 → 12.1.1+), and urllib3 (2.5.0 → 2.6.3+)
• Run uv lock --upgrade in docs/examples/demo_apps/crm/ to update urllib3 (2.5.0 → 2.6.3+)
• Run uv lock --upgrade in docs/examples/demo_apps/email_mcp/mcp_server/ to update urllib3 (2.6.2 → 2.6.3+)
• Run uv lock --upgrade in docs/examples/demo_apps/file_system/ to update urllib3 (2.5.0 → 2.6.3+)
• Run uv lock in docs/examples/demo_apps/setup/ (no vulnerable deps but ensure lock consistency)
• Optionally create docs/examples/demo_apps/email_mcp/mail_sink/uv.lock if needed (currently missing)

🤖 Prompt for AI agents

This phase regenerates `uv.lock` files across all example sub-projects under
`docs/examples/` to pull patched versions of transitive dependencies.

Run the following commands in order, each in their respective directory:
- `uv lock --upgrade` in `docs/examples/cuga_as_mcp/` — targets: langchain
(0.3.26 → 1.2.5+), langchain-core (0.3.66 → 1.2.5+), Pillow (11.3.0 → 12.1.1+),
urllib3 (2.5.0 → 2.6.3+)
- `uv lock --upgrade` in `docs/examples/cuga_with_runtime_tools/` — targets:
langchain (0.3.27 → 1.2.5+), langchain-core (0.3.79 → 1.2.5+), Pillow (12.0.0 →
12.1.1+), urllib3 (2.5.0 → 2.6.3+)
- `uv lock --upgrade` in `docs/examples/demo_apps/crm/` — targets: urllib3
(2.5.0 → 2.6.3+)
- `uv lock --upgrade` in `docs/examples/demo_apps/email_mcp/mcp_server/` —
targets: urllib3 (2.6.2 → 2.6.3+)
- `uv lock --upgrade` in `docs/examples/demo_apps/file_system/` — targets:
urllib3 (2.5.0 → 2.6.3+)
- `uv lock` in `docs/examples/demo_apps/setup/` — no vulnerable deps, but ensure
lock consistency
- If `docs/examples/demo_apps/email_mcp/mail_sink/uv.lock` is missing,
optionally generate it with `uv lock`

After running all commands, verify each updated lock file contains the expected
patched versions of the affected packages.

Phase 3: npm Frontend Workspaces Security Updates

This phase addresses npm vulnerabilities by adding pnpm overrides to force patched versions of transitive dependencies and regenerating the lock file.

Task 1: Add pnpm Overrides for Vulnerable Packages

Extend the existing pnpm overrides in the root package.json to force minimum versions for rollup, basic-ftp, and minimatch.

• Update src/frontend_workspaces/package.json to add entries to the existing pnpm.overrides object
• Add "rollup": ">=4.59.0" to address CVE-2026-27606 (arbitrary file write via path traversal)
• Add "basic-ftp": ">=5.2.0" to address CVE-2026-27699 (path traversal in downloadToDir)
• Add "minimatch": ">=3.1.4" to address CVE-2026-27904 (ReDoS) - this override will apply to all minimatch versions, forcing the 3.x line to 3.1.4+ which should cascade appropriately

Task 2: Regenerate pnpm Lock File

Regenerate the pnpm-lock.yaml to apply the new overrides.

• Run pnpm install in src/frontend_workspaces/ to regenerate pnpm-lock.yaml with the overrides applied
• Verify rollup resolves to 4.59.0+, basic-ftp to 5.2.0+, and minimatch versions are updated
• Note: minimatch has multiple major versions (3.x, 5.x, 9.x, 10.x); the override may need adjustment if pnpm doesn't handle major version lines correctly with a single override

Task 3: Verify Frontend Build Compatibility

Ensure the frontend workspaces still build correctly after the dependency updates.

• Run the build script in src/frontend_workspaces/frontend/ via sh build.sh to verify no build regressions
• Address any compatibility issues that arise from the updated dependencies
• The primary risk is with Rollup 4.59.0 as a major version bump from 4.50.0 could introduce breaking changes in Vite/WXT build pipelines

🤖 Prompt for AI agents

This phase updates `src/frontend_workspaces/package.json` to add pnpm overrides
for vulnerable npm transitive dependencies, regenerates the pnpm lock file, and
verifies the frontend build.

- In `src/frontend_workspaces/package.json`, locate the existing
`pnpm.overrides` object and add the following entries:
- `"rollup": ">=4.59.0"` (addresses CVE-2026-27606 — arbitrary file write via
path traversal)
- `"basic-ftp": ">=5.2.0"` (addresses CVE-2026-27699 — path traversal in
downloadToDir)
- `"minimatch": ">=3.1.4"` (addresses CVE-2026-27904 — ReDoS; note: minimatch
exists in multiple major version lines — 3.x, 5.x, 9.x, 10.x — and the override
may need adjustment if pnpm doesn't handle all lines correctly with a single
override)
- Run `pnpm install` in `src/frontend_workspaces/` to regenerate
`pnpm-lock.yaml` with the new overrides applied
- Verify the regenerated lock file resolves rollup to 4.59.0+, basic-ftp to
5.2.0+, and updated minimatch versions
- Run `sh build.sh` in `src/frontend_workspaces/frontend/` to confirm no build
regressions; the primary compatibility risk is the Rollup version bump (4.50.0 →
4.59.0) potentially affecting the Vite/WXT build pipeline

Research

This is a Python project (cuga) using uv for dependency management, with a pnpm monorepo for frontend workspaces. The root pyproject.toml declares direct dependencies with minimal version constraints, while transitive dependencies (Pillow, urllib3) are resolved by uv. Example sub-projects under docs/examples/ have their own pyproject.toml and uv.lock files, with the main cuga package installed as an editable path dependency. The frontend workspaces use pnpm with a centralized overrides mechanism in the root package.json for forcing transitive dependency versions.

---

🚀 Next Steps

🤖 All AI agent prompts combined

Task: 1

This phase updates the root `pyproject.toml` to add uv constraint-dependencies
for vulnerable transitive Python dependencies, regenerates the root lock file,
and documents the NLTK known vulnerability.

- In `pyproject.toml`, extend the `[tool.uv]` section by adding a
`constraint-dependencies` list with the following entries:
  - `pillow>=12.1.1` (addresses CVE-2026-25990)
- `urllib3>=2.6.3` (addresses CVE-2025-66418, CVE-2025-66471, CVE-2025-50181,
CVE-2025-50182, CVE-2026-21441)
- In `pyproject.toml`, locate the NLTK entry under `[dependency-groups] dev` and
add a comment above it documenting CVE-2025-14009: note that the vulnerability
exists, no PyPI fix is available, NLTK is a dev-only dependency, and that the
upstream release should be tracked for a patched version
- Run `uv lock --upgrade` in the repository root to regenerate `uv.lock`
- Verify the regenerated `uv.lock` contains Pillow 12.1.1+ and urllib3 2.6.3+
===============================================================================

Task: 2

This phase regenerates `uv.lock` files across all example sub-projects under
`docs/examples/` to pull patched versions of transitive dependencies.

Run the following commands in order, each in their respective directory:
- `uv lock --upgrade` in `docs/examples/cuga_as_mcp/` — targets: langchain
(0.3.26 → 1.2.5+), langchain-core (0.3.66 → 1.2.5+), Pillow (11.3.0 → 12.1.1+),
urllib3 (2.5.0 → 2.6.3+)
- `uv lock --upgrade` in `docs/examples/cuga_with_runtime_tools/` — targets:
langchain (0.3.27 → 1.2.5+), langchain-core (0.3.79 → 1.2.5+), Pillow (12.0.0 →
12.1.1+), urllib3 (2.5.0 → 2.6.3+)
- `uv lock --upgrade` in `docs/examples/demo_apps/crm/` — targets: urllib3
(2.5.0 → 2.6.3+)
- `uv lock --upgrade` in `docs/examples/demo_apps/email_mcp/mcp_server/` —
targets: urllib3 (2.6.2 → 2.6.3+)
- `uv lock --upgrade` in `docs/examples/demo_apps/file_system/` — targets:
urllib3 (2.5.0 → 2.6.3+)
- `uv lock` in `docs/examples/demo_apps/setup/` — no vulnerable deps, but ensure
lock consistency
- If `docs/examples/demo_apps/email_mcp/mail_sink/uv.lock` is missing,
optionally generate it with `uv lock`

After running all commands, verify each updated lock file contains the expected
patched versions of the affected packages.
===============================================================================

Task: 3

This phase updates `src/frontend_workspaces/package.json` to add pnpm overrides
for vulnerable npm transitive dependencies, regenerates the pnpm lock file, and
verifies the frontend build.

- In `src/frontend_workspaces/package.json`, locate the existing
`pnpm.overrides` object and add the following entries:
- `"rollup": ">=4.59.0"` (addresses CVE-2026-27606 — arbitrary file write via
path traversal)
- `"basic-ftp": ">=5.2.0"` (addresses CVE-2026-27699 — path traversal in
downloadToDir)
- `"minimatch": ">=3.1.4"` (addresses CVE-2026-27904 — ReDoS; note: minimatch
exists in multiple major version lines — 3.x, 5.x, 9.x, 10.x — and the override
may need adjustment if pnpm doesn't handle all lines correctly with a single
override)
- Run `pnpm install` in `src/frontend_workspaces/` to regenerate
`pnpm-lock.yaml` with the new overrides applied
- Verify the regenerated lock file resolves rollup to 4.59.0+, basic-ftp to
5.2.0+, and updated minimatch versions
- Run `sh build.sh` in `src/frontend_workspaces/frontend/` to confirm no build
regressions; the primary compatibility risk is the Rollup version bump (4.50.0 →
4.59.0) potentially affecting the Vite/WXT build pipeline

💡 Iterate on the plan with: @coderabbitai <feedback>

Example Feedback
- `@coderabbitai` You can skip phase 3. Add a simple unit test case for phase 2.
- `@coderabbitai` For design choice 1 go ahead with option 3 and replan.

---

💬 Have feedback or questions? Drop into our discord!

[sami-marreed]

@offerakrabi consider taking the design approach from new version in upstream