[Aikido] Fix 16 security issues in langchain, langchain-openai, langchain-chroma and 9 more

[aikido-autofix]

Upgrade dependencies to fix critical template injection, serialization injection, XXE, and DoS vulnerabilities in LangChain and protobuf.

✅ Code not affected by breaking changes.

No breaking changes from the package upgrades affect this codebase.

Analysis summary:

• langchain-text-splitters: The codebase does not use HTMLSectionSplitter or the xslt_path parameter. While chunk_size and overlap are used in crit/compare.py, they are custom parameters for a tiktoken-based chunking function, not langchain-text-splitters API parameters.

• urllib3: The codebase does not directly import or use urllib3, HTTPResponse, getheaders(), or getheader() methods.

• filelock: The project requires Python >=3.12, which is well above the new minimum of Python 3.10 (dropping 3.9 support has no impact).

• onnxruntime: While onnxruntime is a transitive dependency (via langchain-chroma), the codebase does not directly use it, does not use GPU features, and does not target Windows-specific functionality.

• asgiref: This package is not present in the project's dependencies.

✅ 16 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-65106	HIGH	[langchain-core] Template injection vulnerability in prompt template system allows attackers to access Python object internals through malicious template syntax. This enables arbitrary code execution and information disclosure in applications accepting untrusted template strings.
CVE-2025-68664	HIGH	[langchain-core] A serialization injection vulnerability in dumps() and dumpd() functions allows unescaped 'lc' keys in user-controlled dictionaries to be treated as legitimate LangChain objects during deserialization, enabling remote code execution through malicious serialized payloads.
CVE-2026-26013	LOW	[langchain-core] The ChatOpenAI.get_num_tokens_from_messages() method fetches unvalidated image URLs when computing token counts for vision models, enabling Server-Side Request Forgery (SSRF) attacks through malicious image URLs in user input.
CVE-2026-0994	HIGH	[protobuf] ParseDict() fails to properly track recursion depth when handling nested Any messages, allowing attackers to bypass the max_recursion_depth limit and trigger a RecursionError, causing denial of service.
CVE-2025-67221	HIGH	[orjson] The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
CVE-2025-6985	HIGH	[langchain-text-splitters] HTMLSectionSplitter is vulnerable to XML External Entity (XXE) attacks through unsafe XSLT parsing, allowing attackers to read arbitrary files accessible to the process without authentication. This enables disclosure of sensitive data like SSH keys, environment files, and cloud metadata.
CVE-2025-66418	HIGH	[urllib3] An unbounded decompression chain vulnerability allows malicious servers to insert unlimited compression steps, causing excessive CPU usage and memory allocation. This leads to denial of service through resource exhaustion.
CVE-2025-66471	HIGH	[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441	HIGH	[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2026-23490	HIGH	[pyasn1] is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
CVE-2025-68146	MEDIUM	[filelock] A TOCTOU race condition in lock file creation allows local attackers to corrupt or truncate arbitrary files via symlink attacks on Unix, Linux, macOS, and Windows. Attackers can exploit the time gap between file existence checks and file opening to redirect writes to victim files.
CVE-2026-22701	MEDIUM	[filelock] A TOCTOU race condition in SoftFileLock allows local attackers to create symlinks between permission validation and file creation, causing lock operations to fail or operate on unintended targets. This can lead to denial of service or unexpected lock behavior.
AIKIDO-2026-10181	MEDIUM	[onnxruntime] Path traversal vulnerability in external data references allows loading arbitrary files from the filesystem without directory validation, potentially enabling unauthorized file access and sensitive data disclosure through specially crafted models.
AIKIDO-2026-10290	MEDIUM	[onnxruntime] The ArrayFeatureExtractor operator lacks validation for negative index values, allowing only upper bound checks. An attacker can exploit this out-of-bounds read vulnerability to access unintended heap memory and leak sensitive data during model inference.
CVE-2025-62727	LOW	[starlette] An unauthenticated attacker can send a crafted HTTP Range header to trigger quadratic-time processing in FileResponse Range parsing, causing CPU exhaustion and denial-of-service for file-serving endpoints.
AIKIDO-2026-10159	LOW	[asgiref] The WsgiToAsgi adapter is vulnerable to Denial of Service through malicious requests with excessive duplicate HTTP headers, causing resource exhaustion and potential service degradation or crash.