Skip to content

fix(security): patch starlette CVE-2026-48818 and CVE-2026-54283#2138

Open
jsonmp-k8 wants to merge 4 commits into
kagent-dev:mainfrom
jsonmp-k8:fix/security-starlette-cve-follow-up
Open

fix(security): patch starlette CVE-2026-48818 and CVE-2026-54283#2138
jsonmp-k8 wants to merge 4 commits into
kagent-dev:mainfrom
jsonmp-k8:fix/security-starlette-cve-follow-up

Conversation

@jsonmp-k8

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #2133 (which patched shell-quote, PyJWT, and pyarrow but left starlette on 0.52.1 in main and 0.47.2 in the samples/adk/basic image). This PR closes the remaining two HIGH-severity Trivy findings that the app image scan is still flagging.

CVEs closed:

  • starlette CVE-2026-48818 (HIGH) — SSRF and NTLM credential theft via UNC paths in StaticFiles. Fix: starlette>=1.1.0.
  • starlette CVE-2026-54283 (HIGH) — request.form() limits silently ignored for application/x-www-form-urlencoded, enabling DoS. Fix: starlette>=1.3.1.

Why the google-adk major version bump is unavoidable

The reviewer on #2133 raised a fair concern that upgrading google-adk v1 → v2 is a large behavior change for a "security patch". This isn't scope creep — it's the shortest forced chain:

  1. Both starlette CVEs are fixed only in the starlette 1.x line. There is no 0.x backport.
  2. google-adk<2 hard-pins starlette<1.0.0, so it is impossible to install starlette 1.x with google-adk v1.
  3. google-adk 2.2.0 is the earliest 2.x release that supports starlette>=1.0.1 and stays within kagent-core's existing opentelemetry-api>=1.38.0,<1.39.0 pin (google-adk 2.3.0 would have forced opentelemetry ≥1.39 too). Picking 2.2.0 minimizes the transitive blast radius.

The alternative — filing a VEX / .trivyignore if the CVEs are not exploitable in kagent's usage — was considered. It would require an audit of whether kagent-adk / the app image exposes starlette.StaticFiles or handles application/x-www-form-urlencoded form parsing. Happy to switch to that approach instead if reviewers prefer, but the current PR is the "actually fix it" path.

Changes

File Change
python/packages/kagent-adk/pyproject.toml google-adk>=1.28.1,<2>=2.2.0
python/packages/agentsts-adk/pyproject.toml google-adk>=1.28.1,<2>=2.2.0
python/samples/adk/basic/pyproject.toml google-adk>=1.8.0>=2.2.0
python/pyproject.toml Add starlette>=1.3.1 to workspace constraint-dependencies
python/uv.lock Regenerated; starlette 0.52.11.3.1, google-adk 1.31.12.2.0. ~30 unused google-cloud-* packages drop out of the tree.
python/samples/adk/basic/uv.lock Regenerated (standalone build context); starlette 0.47.21.3.1, google-adk 1.9.02.3.0

Test plan

  • Scan images CI passes on app (both starlette CVEs cleared)
  • python-test (3.10 / 3.11 / 3.12 / 3.13) all pass on the google-adk v2 line
  • test-e2e passes to catch any google-adk 1 → 2 API regressions
  • Manual sanity check that a sample agent (samples/adk/basic) still boots

The starlette CVE fixes require starlette >= 1.3.1 (fixed only in the 1.x
line), which in turn requires upgrading google-adk from 1.x to 2.x since
google-adk<2 hard-pins starlette<1.0.0.

Changes:
- kagent-adk, agentsts-adk: bump google-adk from >=1.28.1,<2 to >=2.2.0.
  google-adk 2.2.0 is the earliest 2.x release that both supports
  starlette 1.x and stays compatible with kagent-core's existing
  opentelemetry-api>=1.38.0,<1.39.0 constraint.
- samples/adk/basic: bump google-adk from >=1.8.0 to >=2.2.0 and
  regenerate the standalone lockfile so the sample image is no longer
  built on starlette 0.47.2.
- python/pyproject.toml: add starlette>=1.3.1 to constraint-dependencies
  so the whole venv is pinned above the CVE fix version.
- python/uv.lock, python/samples/adk/basic/uv.lock: regenerated
  accordingly; starlette resolves to 1.3.1 in both.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
Copilot AI review requested due to automatic review settings July 2, 2026 15:29
@github-actions github-actions Bot added the bug Something isn't working label Jul 2, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Python workspace and sample dependencies to remediate two HIGH-severity Starlette CVEs by moving the dependency graph onto Starlette 1.x (requiring a google-adk v2 upgrade).

Changes:

  • Add a workspace constraint to enforce starlette>=1.3.1 and regenerate the workspace lockfile to resolve Starlette 1.3.1.
  • Upgrade google-adk to the v2 line in kagent-adk, agentsts-adk, and the samples/adk/basic project.
  • Regenerate uv.lock files to reflect the new dependency tree (including dropping unused transitive packages).

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
python/packages/kagent-adk/pyproject.toml Bumps google-adk requirement to v2 to allow Starlette 1.x.
python/packages/agentsts-adk/pyproject.toml Bumps google-adk requirement to v2 to allow Starlette 1.x.
python/samples/adk/basic/pyproject.toml Updates sample to google-adk>=2.2.0.
python/pyproject.toml Adds starlette>=1.3.1 to workspace constraint dependencies.
python/uv.lock Regenerated workspace lock resolving Starlette 1.3.1 and google-adk 2.2.0.
python/samples/adk/basic/uv.lock Regenerated sample lock resolving Starlette 1.3.1 / google-adk 2.3.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread python/samples/adk/basic/pyproject.toml
Without an explicit requires-python, uv defaulted the regenerated lock
to >=3.13 (the lock author's Python), which would prevent the sample
from running on the repo's supported 3.10-3.12 runtimes. Add >=3.10 to
match the workspace packages and regenerate the standalone lock.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
@jsonmp-k8

Copy link
Copy Markdown
Contributor Author

The build (golang-adk-full) failure (and the cascading matrix cancellations) is a pre-existing infrastructure issue on main, not introduced by this PR.

Error is identical:
```
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Dockerfile.full:35
ERROR: process ".../npm install ..." did not complete successfully: exit code: 132
```

Timeline:

Root cause is apk pulling nodejs-26.4.0-r1 at build time, whose arm64 binary uses instructions that docker/setup-qemu-action@v4 (QEMU 10.2.3) cannot emulate. go/Dockerfile.full line 30 installs nodejs unpinned even though TOOLS_NODE_VERSION=24 is threaded in as a build arg but never wired into the apk add command — so builds silently drifted to nodejs 26 when Wolfi published it.

This PR only touches Python pyproject.toml / uv.lock files — none of the go Docker builds. The fix belongs in a separate infra PR (either pin nodejs-24 in the apk add, or pin a QEMU version that supports the newer node arm64 binary).

Happy to open that infra PR too if useful, but flagging this here so the failing checks don't block review of the actual security change.

…rfile

The srt-builder and final stages install `nodejs` unpinned via `apk add`,
even though `TOOLS_NODE_VERSION=24` is threaded through as a build arg.
When Wolfi published nodejs-26.4.0-r1, arm64 builds started crashing with
`qemu: uncaught target signal 4 (Illegal instruction) - core dumped`
because the newer binary uses CPU instructions the docker/setup-qemu-action
version cannot emulate.

Pin nodejs to "nodejs~${TOOLS_NODE_VERSION}" to match the pattern already
used in ui/Dockerfile:13 and :50, so the version arg actually constrains
the installed package and Wolfi upgrades to a new major don't silently
break builds.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
@EItanya

EItanya commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

How is this passing CI, is adk 2.0 backwards compatible?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants