diff --git a/pyproject.toml b/pyproject.toml
index f7651f1..607dfe6 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -20,7 +20,7 @@ dependencies = [
     "huggingface-hub>=0.23",
     "jsonschema[format]>=4.23.0",
     "psutil>=5.9",
-    "pyarrow>=17.0.0",
+    "pyarrow>=23.0.1",
     "lm-eval[api]==0.4.12",
     # tokenizers powers the lm-eval converter's tok/s computation. The library
     # is also a transitive dep of transformers (and therefore lm-eval), but
diff --git a/space/requirements.txt b/space/requirements.txt
index 2120ea2..0757c14 100644
--- a/space/requirements.txt
+++ b/space/requirements.txt
@@ -9,9 +9,10 @@ huggingface-hub>=0.23
 #   pillow  9.5.0   → 3 CVEs fixed in 10.4.0 (CVE-2024-28219, CVE-2023-50447, CVE-2024-44537)
 #   pillow  10.4.0  → GHSA-cfh3-3jmp-rvhc + GHSA-whj4-6x5x-4v2j fixed in 12.2.0
 #   pyarrow 14      → PYSEC-2023-238 + PYSEC-2024-161 fixed in 17.0.0
+#   pyarrow 17.0.0  → PYSEC-2026-113 (CVSS 7.0 High) fixed in 23.0.1
 #   orjson  3.9.9   → GHSA-hx9q-6w63-j58v fixed in 3.11.6
 #   idna    3.9.0   → GHSA-65pc-fj4g-8rjx fixed in 3.15 (CVSS 6.9, transitive via requests/httpx)
-pyarrow>=17.0.0
+pyarrow>=23.0.1
 pillow>=12.2.0
 orjson>=3.11.6
 idna>=3.15
diff --git a/uv.lock b/uv.lock
index 593a524..f5e5f1c 100644
--- a/uv.lock
+++ b/uv.lock
@@ -2577,7 +2577,7 @@ requires-dist = [
     { name = "pandas", marker = "extra == 'viewer'", specifier = ">=2.0" },
     { name = "plotly", marker = "extra == 'viewer'", specifier = ">=6.7.0" },
     { name = "psutil", specifier = ">=5.9" },
-    { name = "pyarrow", specifier = ">=17.0.0" },
+    { name = "pyarrow", specifier = ">=23.0.1" },
     { name = "qwen-agent", marker = "extra == 'framework-eval'", specifier = ">=0.0.14" },
     { name = "smolagents", marker = "extra == 'framework-eval'", specifier = ">=1.0.0" },
     { name = "soundfile", marker = "extra == 'framework-eval'", specifier = ">=0.13.0" },