Skip to content

Bump pyjwt and orjson to fix HIGH-severity CVEs#99

Merged
alex-feel merged 1 commit intomainfrom
alex-feel-dev
Mar 27, 2026
Merged

Bump pyjwt and orjson to fix HIGH-severity CVEs#99
alex-feel merged 1 commit intomainfrom
alex-feel-dev

Conversation

@alex-feel
Copy link
Copy Markdown
Owner

@alex-feel alex-feel commented Mar 27, 2026

Add constraint-dependencies for transitive dependency security fixes:

Neither package is directly imported by this project. pyjwt is transitive via fastmcp -> mcp -> pyjwt[crypto]. orjson is transitive via langsmith -> orjson.
Real-world exploitability is NONE/LOW.

@alex-feel
fix: bump pyjwt and orjson to fix HIGH-severity CVEs
9489e85 
Add constraint-dependencies for transitive dependency security fixes:
- pyjwt>=2.12.0: CVE-2026-32597 (GHSA-752w-5fwx-jx9f) crit header validation bypass, CVSS 7.5
- orjson>=3.11.6: CVE-2025-67221 (GHSA-hx9q-6w63-j58v) unbounded recursion DoS, CVSS 7.5

Neither package is directly imported by this project.
pyjwt is transitive via fastmcp -> mcp -> pyjwt[crypto].
orjson is transitive via langsmith -> orjson.
Real-world exploitability is NONE/LOW.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 27, 2026

Coverage report

This PR does not seem to contain any modification to coverable code.

@alex-feel alex-feel merged commit 9fc08ac into main Mar 27, 2026
6 checks passed
@alex-feel alex-feel deleted the alex-feel-dev branch March 27, 2026 21:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alex-feel