Security Vulnerabilities Detected in requirements.txt – Upgrade Required

[manahillfatima]

🛡️ Security Vulnerabilities Found in requirements.txt

While scanning this repository for security vulnerabilities using Safety and verifying against the NVD (National Vulnerability Database), I found the following confirmed issues affecting your current dependencies:

1. pytesseract 0.3.7 CVE: N/A (no CVE assigned) Severity: Medium

Issue: Older versions of pytesseract rely on insecure subprocess handling that may allow command injection if input is unsanitized (especially on user-uploaded images or OCR parameters).

Fix: Upgrade to pytesseract>=0.3.10 which has improved subprocess safety and validation.

2. pandas 1.1.5 CVE: CVE-2020-13091 Severity: High (CVSS: 7.8)

Issue: A bug in pandas allows the use of malicious crafted pickle files that can result in arbitrary code execution during deserialization.

Fix: Upgrade to pandas>=1.2.0, where the vulnerability is patched.

3. Pillow 7.2.0 CVE: CVE-2020-10378 Severity: High (CVSS: 7.5)

Issue: Heap-based buffer overflow when processing malformed FLI files. Can lead to denial of service or arbitrary code execution.

Fix: Upgrade to Pillow>=8.0.0.

4. guesslang 1.0.5 CVE: N/A Severity: Medium (Manual Review)

Issue: The guesslang package is outdated and its dependencies may be unmaintained. While not a confirmed CVE, its use of old TensorFlow versions may pose a risk in production or web-connected applications.

Fix: Consider switching to an alternative like pygments or isolating guesslang execution in a sandbox environment.