Skip to content

fix(security): resolve 13 CVEs in examples/celery/requirements.txt#5992

Closed
AhsanSheraz wants to merge 1 commit intopallets:mainfrom
AhsanSheraz:fix/celery-example-security-vulnerabilities
Closed

fix(security): resolve 13 CVEs in examples/celery/requirements.txt#5992
AhsanSheraz wants to merge 1 commit intopallets:mainfrom
AhsanSheraz:fix/celery-example-security-vulnerabilities

Conversation

@AhsanSheraz
Copy link
Copy Markdown

@AhsanSheraz AhsanSheraz commented Apr 10, 2026
edited
Loading

Summary

Update pinned dependency versions in examples/celery/requirements.txt to resolve 13 known security vulnerabilities (1 HIGH, 11 MEDIUM, 1 LOW).

Fixes #5991

Changes

Package Old Version New Version CVEs Fixed
flask 2.3.2 3.1.3 CVE-2026-27205
werkzeug 2.3.3 3.1.6 CVE-2024-34069, CVE-2023-46136, CVE-2024-49766, CVE-2024-49767, CVE-2025-66221, CVE-2026-21860, CVE-2026-27199
jinja2 3.1.2 3.1.6 CVE-2024-22195, CVE-2024-34064, CVE-2024-56201, CVE-2024-56326, CVE-2025-27516
blinker 1.6.2 1.9.0 (flask 3.x transitive dep)
itsdangerous 2.1.2 2.2.0 (flask 3.x transitive dep)
markupsafe 2.1.2 3.0.3 (compatible upgrade)

Context

Verification

Trivy filesystem scan after this change reports 0 vulnerabilities across all severity levels (CRITICAL, HIGH, MEDIUM, LOW).

$ trivy fs . --scanners vuln --skip-dirs .venv --severity CRITICAL,HIGH,MEDIUM,LOW
INFO  Number of language-specific files  num=0

Test Plan

  • Trivy rescan confirms 0 vulnerabilities
  • Celery example application runs with updated dependencies
  • No breaking API changes affect the example code (Flask 3.x is backwards-compatible for basic usage)

@ahsansheraz-bonial
fix(security): update vulnerable dependencies in celery example
330fc07 
Update pinned versions in examples/celery/requirements.txt to resolve
13 known security vulnerabilities (1 HIGH, 11 MEDIUM, 1 LOW):

- werkzeug 2.3.3 -> 3.1.6 (CVE-2024-34069, CVE-2023-46136, CVE-2024-49766, CVE-2024-49767, CVE-2025-66221, CVE-2026-21860, CVE-2026-27199)
- jinja2 3.1.2 -> 3.1.6 (CVE-2024-22195, CVE-2024-34064, CVE-2024-56201, CVE-2024-56326, CVE-2025-27516)
- flask 2.3.2 -> 3.1.3 (CVE-2026-27205)

Also bumps transitive deps for compatibility:
- blinker 1.6.2 -> 1.9.0
- itsdangerous 2.1.2 -> 2.2.0
- markupsafe 2.1.2 -> 3.0.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: 13 known CVEs in examples/celery/requirements.txt

3 participants

@AhsanSheraz @ThiefMaster @ahsansheraz-bonial