chore(findings): virtualitics/predict/predict-backend

Summary

virtualitics/predict/predict-backend has 32 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=virtualitics/predict/predict-backend&tag=1.26.0.0&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id	source	severity	package	impact	workaround	epss_score	kev
CVE-2025-47287	Twistlock CVE	High	tornado-6.4.2			0.00113	false
CVE-2025-47273	Twistlock CVE	High	setuptools-76.0.0			0.00100	false
CVE-2025-2099	Twistlock CVE	Medium	transformers-4.49.0			0.00073	false
CVE-2024-47081	Twistlock CVE	Medium	requests-2.32.3			0.00067	false
CVE-2025-3777	Twistlock CVE	Low	transformers-4.49.0			0.00060	false
CVE-2025-4565	Twistlock CVE	High	protobuf-5.29.3			0.00055	false
CVE-2025-3264	Twistlock CVE	Medium	transformers-4.49.0			0.00055	false
CVE-2025-3263	Twistlock CVE	Medium	transformers-4.49.0			0.00055	false
CVE-2025-3262	Twistlock CVE	Medium	transformers-4.49.0			0.00055	false
CVE-2025-1194	Twistlock CVE	Medium	transformers-4.49.0			0.00049	false
CVE-2025-53643	Twistlock CVE	Low	aiohttp-3.11.13			0.00048	false
CVE-2025-3933	Twistlock CVE	Medium	transformers-4.49.0			0.00042	false
CVE-2025-47278	Twistlock CVE	Low	flask-3.1.0	This was a newly introduced feature that is not yet in common use.		0.00017	false
CVE-2025-50181	Twistlock CVE	Medium	urllib3-2.3.0	Most users dont disable redirects on the PoolManager.	Set redirectsFalseredirects0 on the .request call instead of on the toplevel urllib3.PoolManager	0.00011	false
CVE-2025-50182	Twistlock CVE	Medium	urllib3-2.3.0	Pyodide is extremely rare configuration for users in production.		0.00010	false
GHSA-qq3j-4f4f-9583	Anchore CVE	Medium	transformers-4.49.0			N/A	N/A
GHSA-q2wp-rjmx-x6x9	Anchore CVE	Medium	transformers-4.49.0			N/A	N/A
GHSA-pq67-6m6q-mj2v	Anchore CVE	Medium	urllib3-2.3.0			N/A	N/A
GHSA-phhr-52qp-3mj4	Anchore CVE	Low	transformers-4.49.0			N/A	N/A
GHSA-jjph-296x-mrcr	Anchore CVE	Medium	transformers-4.49.0			N/A	N/A
GHSA-fpwr-67px-3qhx	Anchore CVE	Medium	transformers-4.49.0			N/A	N/A
GHSA-9hjg-9r4m-mvj7	Anchore CVE	Medium	requests-2.32.3			N/A	N/A
GHSA-9548-qrrj-x5pj	Anchore CVE	Low	aiohttp-3.11.13			N/A	N/A
GHSA-8qvm-5x2c-j2w7	Anchore CVE	High	protobuf-5.29.3			N/A	N/A
GHSA-887c-mr87-cxwp	Anchore CVE	Medium	torch-2.5.1+cpu.cxx11.abi			N/A	N/A
GHSA-7cx3-6m66-7c5m	Anchore CVE	High	tornado-6.4.2			N/A	N/A
GHSA-5rjg-fvgr-3xxf	Anchore CVE	High	setuptools-76.0.0			N/A	N/A
GHSA-4grg-w6v8-c28g	Anchore CVE	Low	flask-3.1.0			N/A	N/A
GHSA-48p4-8xcf-vxj5	Anchore CVE	Medium	urllib3-2.3.0			N/A	N/A
GHSA-489j-g2vx-39wf	Anchore CVE	Medium	transformers-4.49.0			N/A	N/A
GHSA-37mw-44qp-f5jm	Anchore CVE	Medium	transformers-4.49.0			N/A	N/A
GHSA-3749-ghw9-m3mg	Anchore CVE	Low	torch-2.5.1+cpu.cxx11.abi			N/A	N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=virtualitics/predict/predict-backend&tag=1.26.0.0&branch=master

Tasks

Contributor:

• Provide justifications for findings in the VAT (docs)
• Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

• Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.