[Aikido] Fix 19 security issues in pymongo, cryptography, requests and 1 more

[aikido-autofix]

Upgrade dependencies to fix critical security vulnerabilities: PyMongo BSON deserialization memory leak, cryptography NULL-pointer DoS and RSA decryption flaw, and urllib3 decompression DoS. This update includes breaking changes that require manual migration.

⚠️ Code affected by breaking changes.

The package upgrades contain breaking changes that affect this codebase:

1. Python 3.8 Support Dropped

• Where your code is affected: Dockerfile (line 1) specifies python:3.8-slim-buster

• Impact: urllib3 2.3.0+ and pyjwt 2.10.0+ no longer support Python 3.8, which is the version currently used in the Docker container. The application will fail to install or run.

• Remediation: Update the Dockerfile to use Python 3.9 or later (e.g., FROM python:3.9-slim-buster or FROM python:3.11-slim-buster).

2. Deprecated cryptography backend usage

• Where your code is affected: main.py (line 8 and line 15) - imports and uses default_backend().load_pem_private_key()

• Impact: While default_backend() still works in cryptography 46.0.5, this pattern has been deprecated since cryptography 3.x. The modern API no longer requires the backend parameter, and default_backend() may be removed in future versions.

• Remediation: Replace from cryptography.hazmat.backends import default_backend with from cryptography.hazmat.primitives import serialization and change default_backend().load_pem_private_key(cert_bytes, None) to serialization.load_pem_private_key(cert_bytes, None).

All breaking changes by upgrading cryptography from version 39.0.1 to 46.0.5 (CHANGELOG)

Version	Description
40.0.0	Changed how cryptography links OpenSSL for users building from source with their own OpenSSL version; the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables are no longer valid
41.0.0	Support for OpenSSL less than 1.1.1d has been removed
41.0.0	Support for Python 3.6 has been removed
41.0.0	Dropped support for LibreSSL < 3.6
42.0.0	Dropped support for LibreSSL < 3.7
42.0.0	Loading a PKCS7 with no content field using load_pem_pkcs7_certificates or load_der_pkcs7_certificates will now raise a ValueError rather than return an empty list
43.0.0	Support for OpenSSL less than 1.1.1e has been removed
43.0.0	Dropped support for LibreSSL < 3.8
43.0.0	generate_private_key now enforces a minimum RSA key size of 1024-bit
43.0.0	NameAttribute now raises an exception when attempting to create a common name whose length is shorter or longer than RFC 5280 permits
44.0.0	Dropped support for LibreSSL < 3.9
45.0.0	Made SSH private key loading more consistent: load_ssh_private_key now raises a TypeError if the key is unencrypted but a password is provided (previously no exception was raised), and raises a TypeError if the key is encrypted but no password is provided (previously a ValueError was raised)
45.0.0	The VerifiedClient.subject property can now be None since a custom extension policy may allow certificates without a Subject Alternative Name extension
46.0.0	Support for Python 3.7 has been removed
46.0.0	Removed the deprecated get_attribute_for_oid method on CertificateSigningRequest
46.0.0	Removed the deprecated CAST5, SEED, IDEA, and Blowfish classes from the cipher module

All breaking changes by upgrading requests from version 2.25.1 to 2.32.4 (CHANGELOG)

Version	Description
2.26.0	Requests has officially dropped support for Python 3.5.
2.28.0	Requests has officially dropped support for Python 2.7.
2.28.0	Requests has officially dropped support for Python 3.6 (including pypy3.6).
2.30.0	Added support for urllib3 2.0, which may contain minor breaking changes.
2.32.0	Requests has officially dropped support for CPython 3.7.
2.32.0	Requests has officially dropped support for PyPy 3.7 and 3.8.

All breaking changes by upgrading pyjwt from version 2.5.0 to 2.12.0 (CHANGELOG)

Version	Description
2.10.0	Drop support for Python 3.8
2.6.0	Invalidate exp when exp == now() (tokens with expiration time exactly equal to current time are now considered invalid)
2.6.0	bump up cryptography >= 3.4.0 (minimum cryptography version requirement increased)

✅ 19 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2024-5629	HIGH	[pymongo] An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
CVE-2023-49083	HIGH	[cryptography] The load_pem_pkcs7_certificates and load_der_pkcs7_certificates functions are vulnerable to NULL-pointer dereference when processing malformed PKCS7 blobs, causing application crashes and Denial of Service.
CVE-2023-50782	HIGH	[cryptography] A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
CVE-2024-26130	HIGH	[cryptography] A NULL pointer dereference occurs in pkcs12.serialize_key_and_certificates when called with a mismatched certificate/private key pair and PKCS12 encryption with hmac_hash, causing process crash (DoS). This is fixed to properly raise a ValueError instead.
CVE-2026-26007	MEDIUM	[cryptography] Missing validation of elliptic curve public key points allows attackers to use small-order subgroup points, enabling private key information leakage via ECDH and signature forgery via ECDSA on affected curves.
CVE-2024-0727	MEDIUM	[cryptography] A NULL pointer dereference in PKCS12 file processing allows attackers to crash applications by providing maliciously formatted files, causing a Denial of Service. Vulnerable APIs include PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes(), and PKCS12_newpass().
GHSA-h4gh-qq45-vh27	MEDIUM	[cryptography] Statically linked OpenSSL in wheels contains a security vulnerability that could allow remote code execution or denial of service attacks. Users installing from PyPI wheels are affected and must update.
GHSA-5cpq-8wj7-hf2v	LOW	[cryptography] A statically linked OpenSSL vulnerability in wheels allows potential remote code execution or denial of service attacks. Users installing from PyPI wheels are affected and must update.
GHSA-jm77-qphf-c4w8	LOW	[cryptography] Wheels contain a statically linked OpenSSL with multiple security vulnerabilities including potential RCE and DoS issues. Users installing from PyPI wheels must update to receive patched OpenSSL versions.
GHSA-v8gr-m533-ghj9	LOW	[cryptography] Statically linked OpenSSL in wheels contains multiple security vulnerabilities including potential remote code execution and denial of service issues. Users installing from PyPI wheels are affected and must update.
CVE-2025-66418	HIGH	[urllib3] An unbounded decompression chain vulnerability allows malicious servers to insert unlimited compression steps, causing excessive CPU usage and memory allocation. This leads to denial of service through resource exhaustion.
CVE-2025-66471	HIGH	[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441	HIGH	[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2025-50181	MEDIUM	[urllib3] A vulnerability allows disabling redirects for all requests through improper PoolManager instantiation with retries configuration, potentially bypassing SSRF and open redirect mitigations. Applications relying on disabled redirects to prevent these vulnerabilities remain exposed to attacks.
CVE-2026-32597	HIGH	[pyjwt] PyJWT fails to validate the crit (Critical) Header Parameter in JWS tokens, accepting tokens with unknown extensions instead of rejecting them as required by RFC 7515, potentially allowing attackers to bypass security controls.
CVE-2023-32681	MEDIUM	[requests] HTTP library leaks Proxy-Authorization headers to destination servers during HTTPS redirects, allowing malicious actors to exfiltrate proxy credentials and sensitive information.
CVE-2024-35195	MEDIUM	[requests] A vulnerability allows certificate verification to be permanently disabled for a host after the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of parameter changes, enabling man-in-the-middle attacks.
CVE-2024-47081	MEDIUM	[requests] A URL parsing vulnerability allows maliciously-crafted URLs to leak .netrc credentials to third parties. This could enable credential theft and unauthorized access to authenticated services.
CVE-2024-3651	LOW	[idna] The encode() function is vulnerable to denial of service through quadratic complexity when processing crafted input strings, causing excessive computational load and processing delays proportional to input size.

🔗 Related Tasks

• https://humansecurity.atlassian.net/browse/AIKIDO-509
• https://humansecurity.atlassian.net/browse/AIKIDO-1318
• https://humansecurity.atlassian.net/browse/AIKIDO-460
• https://humansecurity.atlassian.net/browse/AIKIDO-1260
• https://humansecurity.atlassian.net/browse/AIKIDO-781
• https://humansecurity.atlassian.net/browse/AIKIDO-1430