Skip to content

[Aikido] Fix 2 critical issues in pyyaml and 11 other issues#47

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-AIKIDO-460-AIKIDO-1260-AIKIDO-347-AIKIDO-1164-update-packages-63728079-3tdi
Open

[Aikido] Fix 2 critical issues in pyyaml and 11 other issues#47
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-AIKIDO-460-AIKIDO-1260-AIKIDO-347-AIKIDO-1164-update-packages-63728079-3tdi

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 9, 2026

Copy link
Copy Markdown

Upgrade PyYAML and urllib3 to fix critical RCE vulnerabilities in YAML deserialization and HIGH severity DoS/SSL verification issues in HTTP client. This update includes breaking changes that require manual migration.

⚠️ Incomplete breaking changes analysis (1/2 analyzed)

⚠️ Breaking changes analysis not available for: pyyaml

⚠️ The urllib3 upgrade from 1.23 to 2.7.0 introduces breaking changes that affect this codebase:

1. Python 2.7 Support Removed (2.0.0)

  • Where your code is affected: The entire codebase is written for Python 2.7 as indicated in setup.py line 17 ('Programming Language :: Python :: 2.7') and uses Python 2-specific imports like from HTMLParser import HTMLParser in elastalert/alerts.py line 14 and .iteritems() throughout multiple files (elastalert/alerts.py, elastalert/elastalert.py, elastalert/ruletypes.py, tests/base_test.py)

  • Impact: urllib3 2.0.0+ requires Python 3.7+, but this codebase is designed for Python 2.7. The application will fail to run as urllib3 2.7.0 cannot be installed or used with Python 2.7

  • Remediation: Either downgrade urllib3 to a version that supports Python 2.7 (1.26.x is the last version supporting Python 2.7), or migrate the entire codebase to Python 3.7+

2. Accessing urllib3 via requests.packages (Indirect Breaking Change)

  • Where your code is affected: elastalert/alerts.py in two locations within the HipChatAlerter.alert() and StrideAlerter.alert() methods where requests.packages.urllib3.disable_warnings() is called

  • Impact: While not explicitly listed in the urllib3 changelog, accessing urllib3 through requests.packages.urllib3 is a requests library implementation detail that may break with newer urllib3 versions. The disable_warnings() method signature or behavior may have changed

  • Remediation: Replace requests.packages.urllib3.disable_warnings() with direct urllib3 import: import urllib3; urllib3.disable_warnings() or use requests' own warning suppression mechanisms

All breaking changes by upgrading urllib3 from version 1.23 to 2.7.0 (CHANGELOG)

Version Description
1.24.0
Drop support for EOL Python 2.6
1.25.0
Require and validate certificates by default when using HTTPS
1.25.0
Upgraded urllib3.utils.parse_url() to be RFC 3986 compliant
1.25.0
Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft
2.0.0
Removed support for Python 2.7, 3.5, and 3.6
2.0.0
Removed fallback on certificate commonName in match_hostname() function
2.0.0
Removed support for Python with an ssl module compiled with LibreSSL, CiscoSSL, wolfSSL, and all other OpenSSL alternatives
2.0.0
Removed support for OpenSSL versions earlier than 1.1.1 or that don't have SNI support
2.0.0
Removed the list of default ciphers for OpenSSL 1.1.1+ and SecureTransport
2.0.0
Removed urllib3.contrib.appengine.AppEngineManager and support for Google App Engine Standard Environment
2.0.0
Removed deprecated Retry options method_whitelist, DEFAULT_REDIRECT_HEADERS_BLACKLIST
2.0.0
Removed urllib3.HTTPResponse.from_httplib
2.0.0
Removed default value of None for the request_context parameter of urllib3.PoolManager.connection_from_pool_key
2.0.0
Removed the urllib3.request module
2.0.0
Removed support for SSLv3.0 from the urllib3.contrib.pyopenssl
2.0.0
Removed the deprecated urllib3.contrib.ntlmpool module
2.0.0
Removed DEFAULT_CIPHERS, HAS_SNI, USE_DEFAULT_SSLCONTEXT_CIPHERS from urllib3.util.ssl_
2.0.0
Removed urllib3.exceptions.SNIMissingWarning
2.0.0
Removed the _prepare_conn method from HTTPConnectionPool
2.0.0
Removed tls_in_tls_required property from HTTPSConnection
2.0.0
Removed the strict parameter/attribute from HTTPConnection, HTTPSConnection, HTTPConnectionPool, HTTPSConnectionPool, and HTTPResponse
2.0.0
Changed urllib3.response.HTTPResponse.read to respect the semantics of io.BufferedIOBase regardless of compression
2.0.0
Changed urllib3.HTTPConnection.getresponse to return an instance of urllib3.HTTPResponse instead of http.client.HTTPResponse
2.0.0
Changed default SSLContext.minimum_version to be TLSVersion.TLSv1_2
2.0.0
Changed urllib3.util.create_urllib3_context to not override the system cipher suites with a default value
2.0.0
Changed multipart/form-data header parameter formatting matches the WHATWG HTML Standard
2.0.0
Changed the error raised when connecting via HTTPS when the ssl module isn't available from SSLError to ImportError
2.0.0
Changed enforce_content_length default to True
2.0.0
Changed all parameters in the HTTPConnection and HTTPSConnection constructors to be keyword-only except host and port
2.1.0
Removed support for the deprecated urllib3[secure] extra
2.1.0
Removed support for the deprecated SecureTransport TLS implementation
2.1.0
Removed support for the end-of-life Python 3.7
2.3.0
Removed support for Python 3.8
2.6.0
Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers
2.6.0
Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default)
2.6.0
The number of allowed chained encodings is now limited to 5
✅ 13 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2020-14343
🚨 CRITICAL
[pyyaml] Arbitrary code execution vulnerability in YAML processing when handling untrusted input through full_load or FullLoader, allowing attackers to execute arbitrary code via malicious YAML constructs.
CVE-2017-18342
🚨 CRITICAL
[pyyaml] In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
CVE-2023-43804
HIGH
[urllib3] A vulnerability allows unintended cookie leakage via HTTP redirects to different origins when users specify a Cookie header without explicitly disabling redirects. This can lead to information disclosure as sensitive cookie data may be exposed to unintended recipients.
CVE-2019-11324
HIGH
[urllib3] SSL certificate verification can be bypassed when custom CA certificates are specified, allowing connections that should fail to succeed due to improper handling of certificate validation contexts.
CVE-2025-66471
HIGH
[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441
HIGH
[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2020-26137
MEDIUM
[urllib3] before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2024-37891
MEDIUM
[urllib3] The Proxy-Authorization header is not stripped during cross-origin redirects when set manually without using urllib3's proxy support, potentially leaking authentication credentials to malicious origins. This vulnerability requires manual header configuration, enabled redirects, and specific redirect conditions to be exploited.
CVE-2018-25091
MEDIUM
[urllib3] Authorization header is not removed when following cross-origin redirects, potentially exposing credentials to unintended hosts or transmitting them in cleartext.
CVE-2019-11236
MEDIUM
[urllib3] In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVE-2025-50181
MEDIUM
[urllib3] A vulnerability allows disabling redirects for all requests through improper PoolManager instantiation with retries configuration, potentially bypassing SSRF and open redirect mitigations. Applications relying on disabled redirects to prevent these vulnerabilities remain exposed to attacks.
CVE-2026-44431
MEDIUM
[urllib3] is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
CVE-2023-45803
MEDIUM
[urllib3] HTTP redirect responses (301, 302, 303) fail to remove request bodies when changing POST to GET, potentially leaking sensitive data to malicious redirect destinations. This information disclosure vulnerability requires a compromised trusted service to exploit.
🔗 Related Tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants