Skip to content

Security: 8 advisory fixes for NSPECT-S62Q-PZUD (collection, 2 children)#703

Draft
nv-rag-cve-bot[bot] wants to merge 2 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260701-023216
Draft

Security: 8 advisory fixes for NSPECT-S62Q-PZUD (collection, 2 children)#703
nv-rag-cve-bot[bot] wants to merge 2 commits into
developfrom
cve-fix/NSPECT-S62Q-PZUD-20260701-023216

Conversation

@nv-rag-cve-bot

@nv-rag-cve-bot nv-rag-cve-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

Summary

Security fix run for NSPECT-S62Q-PZUD (Foundational RAG Downloadable NIM Agent Blueprint — collection, 2 children). Addresses 8 advisories covering 17+ Critical/High CVEs across Python and frontend dependency surfaces.

  • NSPECT-UV6I-R3V9 (Container child): all source-surface critical/high CVEs fixed ✅
  • NSPECT-O8B9-SHZ8 (Helm Chart child): no additional changes needed — source CVEs covered by UV6I fixes ✅

Python fixes

Package Old New CVEs
aiohttp 3.13.5 (override floor 3.13.4) 3.14.1 CVE-2026-54274 + 10 others (Critical/High)

Frontend fixes

Package Old New Advisory
vitest / @vitest/coverage-v8 / @vitest/ui ^3.2.4 ^3.2.6 GHSA-5xrq-8626-4rwp (Critical RCE)
vite ^6.3.5 ^6.4.3 GHSA-fx2h-pf6j-xcff, GHSA-g4jq (High: path traversal, NTLM)
react-router-dom ^7.12.0 ^7.15.0 (→7.18.1) Multiple High react-router advisories
ws (transitive) <8.21.0 >=8.21.0 pnpm override
tar (transitive) <7.5.16 >=7.5.16 pnpm override
glob (transitive) <10.5.0 >=10.5.0 pnpm override

Validation

Step Status
§5a-repro (pre-fix scan) ✅ aiohttp 3.13.5 / 11 CVEs confirmed; pnpm audit confirmed frontend vulns
§5a re-scan (post-fix) ✅ uv.lock: aiohttp 3.14.1; venv: 3.14.1; pnpm audit: 0 high/critical
§5a-sweep ✅ Full sweep clean
§5b unit tests ⏳ pending CI (pipeline mode)
§5c lint ⏳ pending CI (pipeline mode)
§5d smoke test ⏳ pending CI (pipeline mode)

Validation mode: --validate pipeline — §5b/§5c/§5d run in CI, not locally.

Expert Review (Phase 6)

R1 CVE Linkage: pass · R2 API Compatibility: pass · R3 Transitive Impact: pass · R4 Scope Discipline: minor (resolved) · R5 Test Adequacy: pass

Deferred (not in scope)

Container-surface CVEs in rag-frontend base image (Go runtime, glibc, OpenSSL: 5 Critical + 37 High) — require --include-base-image / Track C base-image bump. Re-run with that flag to address.

Additional source CVEs observed but not fixed in this batch: langchain-core, starlette, langsmith, python-multipart, cryptography, langgraph-sdk advisories — separate fix run recommended.

Test plan

  • CI passes: unit-tests, frontend-unit-tests, static-analysis
  • GPU docker-tests chain passes (gated via --ci-wait-gpu)
  • Review diff: pyproject.toml aiohttp floor, uv.lock, frontend/package.json, pnpm-lock.yaml, test pin
  • Confirm pnpm audit returns 0 in CI environment
  • Set NVBug BugAction/Disposition for CVE-2026-54274 and related advisories

Note: cve-fix-reports/ is a local-only audit directory (not committed). Add it to .gitignore:

echo 'cve-fix-reports/' >> .gitignore

🤖 Generated with agentic-cve-fix for NSPECT-S62Q-PZUD

NVIDIA RAG added 2 commits July 1, 2026 02:35
Raises the aiohttp override floor in [tool.uv] override-dependencies to
3.14.1, fixing 11 Critical/High CVEs in aiohttp 3.13.x. uv.lock
regenerated; version-pin test added; integration test floor updated.
Re-scan confirmed: uv.lock pins 3.14.1; venv confirms 3.14.1 at runtime.
§5b/§5c/§5d validation relocated to CI Phase 9 (--validate pipeline).

Refs: NSPECT-S62Q-PZUD (collection)
Refs: NSPECT-UV6I-R3V9 (child)
Generated-by: agentic-cve-fix
Signed-off-by: NVIDIA RAG <foundational-rag-dev@exchange.nvidia.com>
Fixes multiple Critical/High frontend CVEs:
- vitest ^3.2.4→^3.2.6: GHSA-5xrq-8626-4rwp (Critical RCE)
- vite ^6.3.5→^6.4.3: GHSA-fx2h-pf6j-xcff, GHSA-g4jq (path traversal/NTLM)
- react-router-dom ^7.12.0→^7.15.0: multiple High advisories (resolves 7.18.1)
- pnpm overrides: ws>=8.21.0, tar>=7.5.16, glob>=10.5.0 (transitive CVEs)
pnpm-lock.yaml regenerated; pnpm audit reports 0 high/critical after fix.
§5b/§5c/§5d validation relocated to CI Phase 9 (--validate pipeline).

Refs: NSPECT-S62Q-PZUD (collection)
Refs: NSPECT-UV6I-R3V9 (child)
Generated-by: agentic-cve-fix
Signed-off-by: NVIDIA RAG <foundational-rag-dev@exchange.nvidia.com>
@copy-pr-bot

copy-pr-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants