-
Notifications
You must be signed in to change notification settings - Fork 1k
Description
Summary
The published PyPI wheels for opencv-python 4.13.0.92 (and opencv-python-headless, opencv-contrib-python) bundle ffmpeg 5.1.x (libavcodec.so.59.37.100), despite the build Dockerfiles in this repository specifying FFMPEG_VERSION=8.0.1 as of commit d098302 (Jan 6, 2026).
This results in 14 unresolved CVEs flagged by vulnerability scanners (grype, etc.) in any Docker image that installs these wheels.
Reproduction
pip download --no-deps \
--platform manylinux_2_28_aarch64 \
--python-version 312 --abi cp312 \
opencv-python-headless==4.13.0.92
unzip -l opencv_python_headless-4.13.0.92-cp37-abi3-manylinux_2_28_aarch64.whl \
| grep libavOutput:
11871529 02-05-2026 08:39 opencv_python_headless.libs/libavcodec-5696b3bf.so.59.37.100
2698441 02-05-2026 08:39 opencv_python_headless.libs/libavformat-bf63de55.so.59.27.100
869185 02-05-2026 08:39 opencv_python_headless.libs/libavutil-cac768a8.so.57.28.100
329009 02-05-2026 08:39 opencv_python_headless.libs/libswresample-a12ab15e.so.4.7.100
656777 02-05-2026 08:39 opencv_python_headless.libs/libswscale-27999517.so.6.7.100
libavcodec.so.59 = ffmpeg 5.1.x. ffmpeg 8.0.1 would be libavcodec.so.61.
Expected
The wheels should bundle ffmpeg 8.0.1 as specified in the build Dockerfiles (docker/manylinux_2_28/Dockerfile_aarch64, docker/manylinux2014/Dockerfile_aarch64, etc.) which were updated in d098302.
Impact
The following CVEs are present in the bundled ffmpeg 5.1.6 and would be resolved by ffmpeg 8.0.1:
High:
- CVE-2025-1594
- CVE-2025-9951
- CVE-2023-49502
- CVE-2023-6605
- CVE-2023-50010
- CVE-2023-50008
- CVE-2024-31582
Medium:
- CVE-2023-6602, CVE-2025-0518, CVE-2025-25469, CVE-2025-25468, CVE-2023-6604, CVE-2025-22919, CVE-2025-59729, CVE-2023-6601, CVE-2025-59730, CVE-2023-50007
Likely Cause
The CI build images used to compile the wheels appear to have been cached/stale and were not rebuilt from the updated Dockerfiles before publishing release 92.