Vulnerability CVE-2026-3805 on jupyterhub/configurable-http-proxy 5.2.0

[Upanshu11]

Bug description

The latest version at the current time 5.2.0 is having a High Vulnerability CVE-2026-3805

[manics]

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

configurable-http-proxy doesn't make SMB requests, so it shouldn't be vulnerable.

[minrk]

@manics WDYT about building the CHP image in jupyterhub/jupyterhub-container-images, so it can get security bumps without fresh releases like we can do now for jupyterhub?

[manics]

In principle that would work, we'd have to set it up as a monorepo, have separate workflow files for each set of images, and use on.push.paths to control which images were rebuilt. Is package-lock.json included in the published NPM package? If so we'd need to remove it.

[minrk]

I'm also okay publishing tagged releases for this repo that only update the image, if that turns out to be easier.

This CVE is in curl, so wouldn't that be in the base image, not package-lock.json?

[manics]

Yes, you're right. So question is whether we should split the updates, so operating system updates are handled in jupyterhub-container-images and JS updates require a release of this repo, or whether to handle them together.

[minrk]

Yeah, that was my idea - like JupyterHub, we could rebuild the image for CHP without to address CVEs in the underling environment, which are constantly coming, not the direct js dependencies, which warrant a real version bump.

[minrk]

Only if it's not a pain, because version bumps here are very cheap and easy.