wandb-0.16.0-py3-none-any.whl: 2 vulnerabilities (highest severity is: 8.6)

[mend-for-github-com]

Vulnerable Library - wandb-0.16.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/requests-2.32.5.dist-info

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (wandb version)	Remediation Possible**	Reachability
CVE-2026-0994	High	8.6	Not Defined	0.0%	protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl	Transitive	N/A*	❌
CVE-2026-25645	Medium	4.4	Not Defined	0.0%	requests-2.32.5-py3-none-any.whl	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-0994

Vulnerable Library - protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl

No project description provided

Library home page: https://files.pythonhosted.org/packages/d6/c6/c9deaa6e789b6fc41b88ccbdfe7a42d2b82663248b715f55aa77fbc00724/protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/protobuf-4.25.8.dist-info

Dependency Hierarchy:

• wandb-0.16.0-py3-none-any.whl (Root Library)
  • ❌ protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Publish Date: 2026-01-23

URL: CVE-2026-0994

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-23

Fix Resolution: protobuf - 6.33.5,https://github.com/protocolbuffers/protobuf.git - v33.5,https://github.com/protocolbuffers/protobuf.git - v5.29.6

CVE-2026-25645

Vulnerable Library - requests-2.32.5-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/requests-2.32.5.dist-info

Dependency Hierarchy:

• wandb-0.16.0-py3-none-any.whl (Root Library)
  • ❌ requests-2.32.5-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.

Publish Date: 2026-03-25

URL: CVE-2026-25645

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-25

Fix Resolution: https://github.com/psf/requests.git - v2.33.0

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.