Description
Alert: Dependabot alert 40
CVE: CVE-2026-25087 · GHSA-rgxp-2hwp-jwgg
Severity: High
Component: docker/imageryprep/requirements.txt (imageryprep Docker container, Azure Batch)
Vulnerability
Use-after-free in pyarrow's IPC file reader when pre-buffering is enabled. A crafted Arrow/Parquet file can cause memory corruption, potentially leading to remote code execution inside the imageryprep Azure Batch node. If exploited, the attacker gains access to the node's Managed Service Identity (MSI) token, which can be used to read/write Blob storage and Data Lake.
pyarrow 18.1.0 is currently pinned in docker/imageryprep/requirements.txt and falls within the vulnerable range >= 15.0.0, < 23.0.1.
Fix
docker/imageryprep/requirements.txt: pyarrow==18.1.0 → pyarrow==23.0.1
hastelib/pyproject.toml: "pyarrow" → "pyarrow>=23.0.1"
⚠️ This is a major version jump (18.x → 23.x)
Breaking API changes are likely. The following must be completed before merging:
References
Description
Alert: Dependabot alert 40
CVE: CVE-2026-25087 · GHSA-rgxp-2hwp-jwgg
Severity: High
Component:
docker/imageryprep/requirements.txt(imageryprep Docker container, Azure Batch)Vulnerability
Use-after-free in pyarrow's IPC file reader when pre-buffering is enabled. A crafted Arrow/Parquet file can cause memory corruption, potentially leading to remote code execution inside the imageryprep Azure Batch node. If exploited, the attacker gains access to the node's Managed Service Identity (MSI) token, which can be used to read/write Blob storage and Data Lake.
pyarrow 18.1.0 is currently pinned in
docker/imageryprep/requirements.txtand falls within the vulnerable range>= 15.0.0, < 23.0.1.Fix
Breaking API changes are likely. The following must be completed before merging:
References
docs/security-triage-2026-06-23.md