Skip to content

fix: CVE-2026-25990 - update Pillow to >=12.1.1#1128

Open
VedantMahabaleshwarkar wants to merge 1 commit intoopendatahub-io:release-v0.15from
VedantMahabaleshwarkar:storage-init-cves
Open

fix: CVE-2026-25990 - update Pillow to >=12.1.1#1128
VedantMahabaleshwarkar wants to merge 1 commit intoopendatahub-io:release-v0.15from
VedantMahabaleshwarkar:storage-init-cves

Conversation

@VedantMahabaleshwarkar
Copy link

@VedantMahabaleshwarkar VedantMahabaleshwarkar commented Feb 24, 2026

  • Add Pillow >=12.1.1 constraint to kserve/pyproject.toml (Out-of-bounds Write via Specially Crafted PSD Image)
  • Update Pillow constraint in custom_model, custom_transformer, and artexplainer to match
  • Regenerate poetry.lock files

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes https://issues.redhat.com/browse/RHOAIENG-44976, https://issues.redhat.com/browse/RHOAIENG-49465

Checklist:

  • Have you linked the JIRA issue(s) to this PR?

@VedantMahabaleshwarkar
fix: CVE-2026-25990 - update Pillow to >=12.1.1
59a325c 
- Add Pillow >=12.1.1 constraint to kserve/pyproject.toml
  (Out-of-bounds Write via Specially Crafted PSD Image)
- Update Pillow constraint in custom_model, custom_transformer,
  and artexplainer to match
- Regenerate poetry.lock files

Signed-off-by: Vedant Mahabaleshwarkar <vmahabal@redhat.com>
@coderabbitai
Copy link

coderabbitai bot commented Feb 24, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link

openshift-ci bot commented Feb 24, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: VedantMahabaleshwarkar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [VedantMahabaleshwarkar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@VedantMahabaleshwarkar
Copy link
Author

VedantMahabaleshwarkar commented Feb 24, 2026

/retest

@dchourasia
Copy link

dchourasia commented Feb 25, 2026

/test kserve-controller-on-pull-request branch:release-v0.15

@openshift-ci
Copy link

openshift-ci bot commented Feb 25, 2026

@dchourasia: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test e2e-graph

/test e2e-llm-inference-service

/test e2e-predictor

/test e2e-raw

/test images

/test pr-image-mirror-kserve-agent

/test pr-image-mirror-kserve-controller

/test pr-image-mirror-kserve-router

/test pr-image-mirror-kserve-storage-initializer

Use /test all to run all jobs.

Details

In response to this:

/test kserve-controller-on-pull-request branch:release-v0.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

approved

Projects

ODH Model Serving Planning
Status: New/Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@VedantMahabaleshwarkar @dchourasia