[Security-Critical] Vulnerabilities introduced via third party libs

[steph19952]

Hello Team, 👋

First of all, I want to begin with the fact that you have a great project going on here 😄

I am writing this issue hoping that you might be able to address the following vulnerabilities introduced by some of the packages that the project uses.

Those are:

• FastApi: Regular Expression Denial of Service (ReDoS)

  • Introduced through: fastapi@0.104.1
  • Fixed in: fastapi@0.109.1

• torch: Command Injection

  • Introduced through: torch@1.13.0
  • Fixed in: torch@1.13.1

The following ones are not directly linked to the project, but might be fixable by upgrading to a higher version of faster-whisper. They both seem to come from faster-whisper.

• certifi: Improper Following of a Certificate's Chain of Trust
• sympy: XML External Entity (XXE) Injection

Thank you! Stefan

[ostpachukAndrii]

@ahmetoner, @ayancey Hi guys, it looks like serious security concern. Suggest to fix ASAP. Especially fastapi. It looks like only update of packages needed.