Current State: Dependency exception
Description
Alerts: Dependabot alerts 33, 34, 38
Severity: HIGH 7.8 (NIST NVD, CVE-2026-8087) / Medium for others — Dependabot rates all three LOW, but NIST disagrees on CVE-2026-8087
Component: hastelib/pyproject.toml, docker/imageryprep/requirements.txt
Vulnerabilities
Three memory-safety bugs in GDAL 3.9.2:
| Alert |
CVE |
NIST Severity |
Description |
| 34 |
CVE-2026-8087 |
HIGH 7.8 |
Heap-based buffer overflow in HDF4/EOS GDnentries |
| 33 |
CVE-2026-8088 |
Medium 5.5 |
Out-of-bounds read in GDfieldinfo |
| 38 |
CVE-2026-8212 |
Medium 5.5 |
Out-of-bounds read in SWSDfldsrch |
All three are file-parsing vulnerabilities. HASTE uses GDAL throughout hastelib to read satellite imagery (GeoTIFF, COG, HDF4-EOS) sourced from external providers. A malicious file delivered via imagery provider API could trigger these in the imageryprep pipeline or Azure Functions.
Fix
Upgrade GDAL from 3.9.2 to 3.13.x.
⚠️ HASTE uses a custom-built manylinux wheel
GDAL is not installable from PyPI — HASTE builds and hosts its own wheel at an Azure Blob URL. This is not a simple version bump.
Required steps:
Owner: GIS Agent + Backend Dev Agent
Interim mitigations (until upgrade is complete)
- Ensure all imagery input is received from authenticated, known-good provider APIs only
- Consider adding magic-byte pre-validation before passing files to GDAL
References
Current State: Dependency exception
Description
Alerts: Dependabot alerts 33, 34, 38
Severity: HIGH 7.8 (NIST NVD, CVE-2026-8087) / Medium for others — Dependabot rates all three LOW, but NIST disagrees on CVE-2026-8087
Component:
hastelib/pyproject.toml,docker/imageryprep/requirements.txtVulnerabilities
Three memory-safety bugs in GDAL 3.9.2:
GDnentriesGDfieldinfoSWSDfldsrchAll three are file-parsing vulnerabilities. HASTE uses GDAL throughout
hastelibto read satellite imagery (GeoTIFF, COG, HDF4-EOS) sourced from external providers. A malicious file delivered via imagery provider API could trigger these in the imageryprep pipeline or Azure Functions.Fix
Upgrade GDAL from 3.9.2 to 3.13.x.
GDAL is not installable from PyPI — HASTE builds and hosts its own wheel at an Azure Blob URL. This is not a simple version bump.
Required steps:
GDAL-3.13.x-cp311-cp311-manylinux_2_17_x86_64.whl(see existing build process)researchlabwuopendata.blob.core.windows.net/haste-binaries/)docker/imageryprep/requirements.txthastelib/pyproject.tomlspec/architecture/decisions/documenting the wheel build processOwner: GIS Agent + Backend Dev Agent
Interim mitigations (until upgrade is complete)
References
docs/security-triage-2026-06-23.md