Security Vulnerabilities Detected in requirements.txt – Upgrade Required #2
Description
🛡️ Security Vulnerabilities Found in requirements.txt
While scanning this repository for security vulnerabilities using Safety and verifying against the NVD (National Vulnerability Database), I found the following confirmed issues affecting your current dependencies:
- pytesseract 0.3.7
CVE: N/A (no CVE assigned)
Severity: Medium
Issue:
Older versions of pytesseract rely on insecure subprocess handling that may allow command injection if input is unsanitized (especially on user-uploaded images or OCR parameters).
Fix:
Upgrade to pytesseract>=0.3.10 which has improved subprocess safety and validation.
- pandas 1.1.5
CVE: CVE-2020-13091
Severity: High (CVSS: 7.8)
Issue:
A bug in pandas allows the use of malicious crafted pickle files that can result in arbitrary code execution during deserialization.
Fix:
Upgrade to pandas>=1.2.0, where the vulnerability is patched.
- Pillow 7.2.0
CVE: CVE-2020-10378
Severity: High (CVSS: 7.5)
Issue:
Heap-based buffer overflow when processing malformed FLI files. Can lead to denial of service or arbitrary code execution.
Fix:
Upgrade to Pillow>=8.0.0.
- guesslang 1.0.5
CVE: N/A
Severity: Medium (Manual Review)
Issue:
The guesslang package is outdated and its dependencies may be unmaintained. While not a confirmed CVE, its use of old TensorFlow versions may pose a risk in production or web-connected applications.
Fix:
Consider switching to an alternative like pygments or isolating guesslang execution in a sandbox environment.