Security Scan Report

Service: eizen-llava-inference | Branch: code-refactor-v2 | Build: #22 | Date: 2026-02-09 14:55:11
3
Critical
9
High
10
Medium
0
Low

LLM Verification Summary

Model: qwen3:14b | Verified: 22/22
TRUE Positives: 1 FALSE Positives: 3 Needs Review: 18
CRITICAL OWASP-DC CVE-2025-53644: OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an NEEDS REVIEW
pkg:pypi/opencv-python@4.11.0.86:0 CVE-2025-53644 | CVSS: 9.8 | CWE-457
OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap buffer write when reading crafted JPEG imag
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
CRITICAL OWASP-DC CVE-2019-20478: In ruamel.yaml through 0.16.7, the load method allows remote code execution if the a NEEDS REVIEW
pkg:pypi/ruamel.yaml.clib@0.2.14:0 CVE-2019-20478 | CVSS: 9.8 | CWE-NVD-CWE-noinfo
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unawa
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
CRITICAL OWASP-DC CVE-2023-30859: Triton is a Minecraft plugin for Spigot and BungeeCord that helps you translate your TRUE POSITIVE
pkg:pypi/triton@3.4.0:0 CVE-2023-30859 | CVSS: 9.8 | CWE-419
Triton is a Minecraft plugin for Spigot and BungeeCord that helps you translate your Minecraft server. The CustomPayload packet allows you to execute commands on the spigot/bukkit console. When you en
LLM Analysis: LLM indicated true positive
Recommendation: Fix the vulnerability
HIGH OWASP-DC CVE-2019-14751: NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attack NEEDS REVIEW
pkg:pypi/nltk:0 CVE-2019-14751 | CVSS: 7.5 | CWE-22
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during ex
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
HIGH OWASP-DC CVE-2021-3828: nltk is vulnerable to Inefficient Regular Expression Complexity FALSE POSITIVE
pkg:pypi/nltk:0 CVE-2021-3828 | CVSS: 7.5 | CWE-697
nltk is vulnerable to Inefficient Regular Expression Complexity
LLM Analysis: LLM indicated false positive
Recommendation: Review manually
HIGH OWASP-DC CVE-2021-3842: nltk is vulnerable to Inefficient Regular Expression Complexity NEEDS REVIEW
pkg:pypi/nltk:0 CVE-2021-3842 | CVSS: 7.5 | CWE-1333
nltk is vulnerable to Inefficient Regular Expression Complexity
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
HIGH OWASP-DC CVE-2021-43854: NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, FALSE POSITIVE
pkg:pypi/nltk:0 CVE-2021-43854 | CVSS: 7.5 | CWE-400
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulne
LLM Analysis: LLM indicated false positive
Recommendation: Review manually
HIGH OWASP-DC CVE-2022-3064: Parsing malicious or large YAML documents can consume excessive amounts of CPU or mem NEEDS REVIEW
pkg:pypi/ruamel.yaml.clib@0.2.14:0 CVE-2022-3064 | CVSS: 7.5 | CWE-400
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
HIGH OWASP-DC CVE-2022-3064: Parsing malicious or large YAML documents can consume excessive amounts of CPU or mem NEEDS REVIEW
pkg:pypi/ruamel.yaml@0.19.1:0 CVE-2022-3064 | CVSS: 7.5 | CWE-400
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
HIGH OWASP-DC CVE-2022-3064: Parsing malicious or large YAML documents can consume excessive amounts of CPU or mem NEEDS REVIEW
pkg:pypi/yaml:0 CVE-2022-3064 | CVSS: 7.5 | CWE-400
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
HIGH OWASP-DC CVE-2025-45770: jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disp FALSE POSITIVE
pkg:pypi/pyjwt@2.11.0:0 CVE-2025-45770 | CVSS: 7.0 | CWE-326
jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is su
LLM Analysis: LLM indicated false positive
Recommendation: Review manually
HIGH OWASP-DC CVE-2025-45770: jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disp NEEDS REVIEW
pkg:pypi/jwt:0 CVE-2025-45770 | CVSS: 7.0 | CWE-326
jwt v5.4.3 was discovered to contain weak encryption. NOTE: this issue has been disputed on the basis that key lengths are expected to be set by an application, not by this library. This dispute is su
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM Bandit Possible binding to all interfaces. NEEDS REVIEW
/home/eizen-7/jenkins/workspace/new-scan/./src/config/constants.py:74
73 logging.warning(f"HTTP origin rejected in production environment: {_origin}") 74 elif 'localhost' in _origin or '127.0.0.1' in _origin or '0.0.0.0' in _origin: 75 ALLOWED_ORIGINS.append(_origin)
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM Bandit Possible binding to all interfaces. NEEDS REVIEW
/home/eizen-7/jenkins/workspace/new-scan/./src/config/constants.py:105
104 105 SERVER_HOST = os.environ.get('SERVER_HOST', '0.0.0.0') 106 SERVER_PORT = _validate_int_env('SERVER_PORT', 8222, min_val=1024, max_val=65535)
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM Bandit Unsafe Hugging Face Hub download without revision pinning in from_pretrained() NEEDS REVIEW
/home/eizen-7/jenkins/workspace/new-scan/./src/core/model_service.py:173
172 173 processor = LlavaNextVideoProcessor.from_pretrained( 174 model_weights_path, 175 local_files_only=True 176 ) 177
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM Bandit Unsafe Hugging Face Hub download without revision pinning in from_pretrained() NEEDS REVIEW
/home/eizen-7/jenkins/workspace/new-scan/./src/core/model_service.py:185
184 185 model = LlavaNextVideoForConditionalGeneration.from_pretrained( 186 model_weights_path, 187 quantization_config=bnb_config, 188 device_map=MODEL_DEVICE, 189 local_files_only=True, 190 trust_remote_code=False 191 ) 1
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM Bandit Unsafe Hugging Face Hub download without revision pinning in snapshot_download() NEEDS REVIEW
/home/eizen-7/jenkins/workspace/new-scan/./src/misc/download-weights.py:18
17 try: 18 model_files = snapshot_download( 19 repo_id=model_id, 20 local_dir=model_save_dir, 21 local_dir_use_symlinks=False, 22 resume_download=True # This helps if download was interrupted 23 ) 24 print(f"All model files downloaded to {model_save_dir}"
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM Bandit Unsafe Hugging Face Hub download without revision pinning in from_pretrained() NEEDS REVIEW
/home/eizen-7/jenkins/workspace/new-scan/./src/misc/download-weights.py:36
35 try: 36 processor = LlavaNextVideoProcessor.from_pretrained(model_save_dir) 37 print("✓ Successfully loaded processor")
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM Bandit Unsafe Hugging Face Hub download without revision pinning in from_pretrained() NEEDS REVIEW
/home/eizen-7/jenkins/workspace/new-scan/./src/misc/download-weights.py:53
52 # Load with 4-bit quantization 53 model = LlavaNextVideoForConditionalGeneration.from_pretrained( 54 model_save_dir, 55 quantization_config=bnb_config, 56 device_map="auto" # Will use CPU if no GPU is available 57 ) 58 print("✓ Successfully loaded model wi
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM OWASP-DC CVE-2021-4235: Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system NEEDS REVIEW
pkg:pypi/ruamel.yaml.clib@0.2.14:0 CVE-2021-4235 | CVSS: 5.5 | CWE-NVD-CWE-noinfo
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM OWASP-DC CVE-2021-4235: Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system NEEDS REVIEW
pkg:pypi/ruamel.yaml@0.19.1:0 CVE-2021-4235 | CVSS: 5.5 | CWE-NVD-CWE-noinfo
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required
MEDIUM OWASP-DC CVE-2021-4235: Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system NEEDS REVIEW
pkg:pypi/yaml:0 CVE-2021-4235 | CVSS: 5.5 | CWE-NVD-CWE-noinfo
Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.
LLM Analysis: LLM verification inconclusive
Recommendation: Manual review required