mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-03-10 01:46:23 +08:00
aa57bcf92a
### What problem does this PR solve? This PR remediates three HIGH severity vulnerabilities in urllib3 affecting the admin client and Python SDK: - **CVE-2025-66418**: Unbounded decompression chain leads to resource exhaustion - **CVE-2025-66471**: Streaming API improperly handles highly compressed data - **CVE-2026-21441**: Decompression-bomb safeguard bypass when following HTTP redirects Trivy security scan identified urllib3 v2.5.0 as vulnerable in both `admin/client/uv.lock` and `sdk/python/uv.lock`. This PR updates urllib3 to v2.6.3 to eliminate these security risks. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue)