Use of software with known vulnerabilities in environments
Need
Remediation of dependencies with known vulnerabilities in pip
Context
• Usage of pip for package management in Python projects
• Usage of requirements.txt or pyproject.toml for declaring dependencies
Description
1. Non compliant code
# requirements.txt
urllib3==1.26.5
requests==2.28.0
flask==2.3.0
# pip-audit output:
# urllib3 1.26.5 - CRLF injection - direct
# Jinja2 3.1.2 - Cross-site scripting - transitive (via flask)The requirements.txt file below pins urllib3 to version 1.26.5, which contains a known request smuggling vulnerability via CRLF injection (CVE-2023-45803). Additionally, the project depends on flask, which transitively pulls in Jinja2 3.1.2 with a known cross-site scripting vulnerability. Direct dependencies appear explicitly in requirements.txt, while transitive dependencies are resolved by pip and may not be visible in the requirements file. Both types must be audited and remediated.
2. Steps
• Run pip-audit or safety check to identify packages with known vulnerabilities
• Update vulnerable direct dependencies in requirements.txt or pyproject.toml
• For transitive dependencies, update the parent package that pulls them in
• If updating the parent does not resolve the issue, add the transitive dependency as an explicit requirement with a safe version constraint
• Alternatively, use a pip constraint file to override transitive versions
• Run pip install, then verify with pip-audit and the test suite
• If no safe version exists upstream, monitor the repository for a patch
3. Secure code example
# requirements.txt
urllib3==2.0.7
requests==2.31.0
flask==2.3.0
Jinja2>=3.1.3
# Alternative: constraints.txt
# Jinja2>=3.1.3...The fixed requirements.txt updates urllib3 to a patched version and adds Jinja2 as an explicit dependency with a safe version constraint. By pinning Jinja2 directly, pip resolves it to the specified version regardless of what flask requests. An alternative approach for transitive overrides is to use pip constraint files. Create a constraints.txt file with the safe versions and install with pip install -c constraints.txt -r requirements.txt.