mindX Security Vulnerabilities

Source: GitHub Dependabot Last Audited: 2026-04-03 Total: 30 vulnerabilities (8 high, 10 medium, 12 low)

Summary by Severity

SeverityCountAction Critical0— High8Upgrade or mitigate Medium10Monitor, upgrade when stable Low12Acceptable risk, track

Vulnerabilities by Package

aiohttp (18 vulnerabilities)

Installed: 3.13.5 Impact: Core HTTP client used by Ollama API, vLLM handler, inference discovery, heartbeat

SeveritySummaryMitigation HIGHHTTP parser auto_decompress zip bombmindX only calls trusted local Ollama — low external exposure MEDIUMDuplicate Host headers acceptedInternal-only connections (localhost) MEDIUMMultipart header size bypassNo file uploads from untrusted sources MEDIUMDoS through chunked messagesRate limiting via API access gate MEDIUMDoS through large payloadsApache proxy limits request size MEDIUMDoS when bypassing assertsRate limiting active MEDIUMUnlimited trailer headersInternal connections only MEDIUMUNC SSRF on WindowsN/A — Linux VPS LOWCRLF injection in multipartNo multipart to untrusted endpoints LOWCookie parser warning stormNo external cookie handling LOWDNS cache unboundedShort-lived connections LOWCookie/auth leak on redirectNo cross-origin redirects LOWLate size enforcement multipartNo untrusted multipart uploads LOWNull bytes in response headersInternal connections only LOWHTTP response splitting via \\rInternal connections only LOWUnicode match groups in regexesInternal protocol only LOWUnicode header value parsingInternal protocol only LOWBrute-force static file path leakNo static file serving via aiohttp

Risk Assessment: LOW — aiohttp is used only for localhost connections to Ollama and internal services. No untrusted external input reaches aiohttp directly. Apache handles all external traffic.

Action: Upgrade when 3.14+ is released. Current mitigations (localhost-only, rate limiting, Apache proxy) are sufficient.

cryptography (2 vulnerabilities)

Installed: 46.0.6

SeveritySummaryMitigation HIGHSubgroup attack on SECT curvesmindX uses AES-256-GCM + HKDF-SHA512, not SECT curves LOWIncomplete DNS name constraint enforcementNo certificate validation against DNS constraints

Risk Assessment: LOW — BANKON Vault uses AES-256-GCM + HKDF-SHA512, not elliptic curve operations affected by this vulnerability.

Action: Monitor. Upgrade if ECDSA operations are added for on-chain signing.

urllib3 (2 vulnerabilities)

Installed: 2.6.3

SeveritySummaryMitigation HIGHDecompression-bomb bypass on redirectsNo streaming API used with untrusted URLs HIGHStreaming API highly compressed dataNo streaming from untrusted sources

Risk Assessment: LOW — urllib3 is used by requests library for outbound HTTP only. All outbound calls go to trusted APIs (Gemini, Groq) with known response formats.

Action: Upgrade when available.

pyOpenSSL (2 vulnerabilities)

Installed: Not directly installed (transitive dependency)

SeveritySummaryMitigation HIGHDTLS cookie callback buffer overflowDTLS not used LOWTLS connection bypass via callback exceptionApache handles TLS, not Python

Risk Assessment: NEGLIGIBLE — pyOpenSSL is a transitive dependency not directly used. Apache handles all TLS termination.

PyJWT (1 vulnerability)

Installed: 2.12.1

SeveritySummaryMitigation HIGHAccepts unknown crit header extensionsmindX uses wallet signatures, not JWT for auth

Risk Assessment: NEGLIGIBLE — JWT is not used for authentication. Session tokens are UUID-based, stored in vault.

orjson (1 vulnerability)

Installed: Not directly installed (transitive)

SeveritySummaryMitigation HIGHNo recursion limit for deeply nested JSONNot used for untrusted input parsing

Risk Assessment: LOW — orjson is optional/transitive. Standard json library is the primary parser.

python-multipart (1 vulnerability)

Installed: 0.0.22

SeveritySummaryMitigation HIGHArbitrary file write via non-default configDefault config used. No custom file write paths.

Risk Assessment: LOW — Default configuration. API access gate blocks unauthenticated file uploads.

requests (1 vulnerability)

Installed: 2.33.1

SeveritySummaryMitigation MEDIUMInsecure temp file reuse in extract_zipped_pathsNo ZIP extraction from untrusted sources

Risk Assessment: NEGLIGIBLE — No ZIP processing in mindX.

diskcache (1 vulnerability)

Installed: Transitive dependency

SeveritySummaryMitigation MEDIUMUnsafe pickle deserializationNo diskcache usage with untrusted data

Risk Assessment: NEGLIGIBLE — Not directly used.

PyNaCl (1 vulnerability)

Installed: Transitive dependency

SeveritySummaryMitigation MEDIUMlibsodium incomplete disallowed inputsNo direct libsodium usage

Risk Assessment: NEGLIGIBLE — Transitive dependency.

Architecture Mitigations

mindX's production architecture provides defense-in-depth:

Apache reverse proxy — handles all external traffic, TLS termination, request size limits

API access gate — all non-public routes require X-Session-Token or Authorization: Bearer

Localhost-only binding — uvicorn listens on 127.0.0.1:8000, not exposed to internet

BANKON Vault — credentials encrypted AES-256-GCM, never in plaintext

Tool access control — BDI agent checks allowed_agents before tool execution

Guardian ECDSA — real wallet signature challenge-response for agent verification

Rate limiting — per-endpoint rate limits via security middleware

Resource Governor — prevents OOM by auto-adjusting resource appetite

PostgreSQL — pgvector data isolated from web-facing code

Recommended Upgrades

PackageCurrentActionPriority aiohttp3.13.5Upgrade when 3.14+ availableMedium cryptography46.0.6Monitor for 47.xLow urllib32.6.3Upgrade when patch availableLow python-multipart0.0.22Upgrade to 0.0.23+ if availableLow

Conclusion

Overall risk: LOW. The 8 high-severity vulnerabilities are all in packages used only for internal localhost connections or as transitive dependencies not directly invoked. Apache proxy, API access gate, and localhost-only binding provide effective mitigation. No critical vulnerabilities exist. The most impactful upgrade path is aiohttp when 3.14+ is released.

---