Merge pull request #55 from mitre/fix/cve-pyminizip-advisory

deacon-mp · web-flow · commit 798d20cfbf7c · 2026-03-17T23:03:26.000-04:00
fix: document CVE-2023-45853 in pyminizip dependency
diff --git a/requirements.txt b/requirements.txt
@@ -1 +1,4 @@
+# WARNING: pyminizip 0.2.6 is affected by CVE-2023-45853 (integer overflow
+# in bundled minizip/zlib code). No patched version is available as of 2026-03.
+# Consider replacing with an alternative zip library when one becomes available.
 pyminizip==0.2.6
