[Aikido] Fix 2 critical issues in pyyaml and 17 other issues

[aikido-autofix]

Upgrade dependencies to fix critical RCE vulnerabilities in PyYAML (arbitrary code execution via unsafe YAML loading) and HIGH severity header leakage/SSL verification bypass issues in urllib3. This update includes breaking changes that require manual migration.

⚠️ Incomplete breaking changes analysis (2/3 analyzed)

⚠️ Breaking changes analysis not available for: pyyaml

⚠️ ## urllib3 upgrade (1.23 => 2.7.0)

Breaking Change: Python 2.7 Support Removed

• Where your code is affected:

  • setup.py:16 - Declares Python 2.7 support in classifiers

  • docs/source/running_elastalert.rst - Documents Python 2.7 as a requirement

• Impact: The codebase is explicitly designed for Python 2.7 (as declared in setup.py classifiers and documentation). urllib3 2.0.0+ dropped support for Python 2.7, 3.5, and 3.6. The application will fail to install or run with urllib3 2.7.0 on Python 2.7.

• Remediation: Upgrade the codebase to Python 3.8 or later (as urllib3 2.7.0 requires Python 3.8+), or pin urllib3 to a version compatible with Python 2.7 (< 2.0.0).

Breaking Change: requests.packages.urllib3 Access Removed

• Where your code is affected:

  • elastalert/alerts.py:1467 - requests.packages.urllib3.disable_warnings() in HipChatAlerter

  • elastalert/alerts.py:1947 - requests.packages.urllib3.disable_warnings() in StrideAlerter

• Impact: Since requests 2.16.0, urllib3 was unvendored. The requests.packages.urllib3 namespace no longer exists in modern versions of requests. Calls to requests.packages.urllib3.disable_warnings() will raise AttributeError.

• Remediation: Replace requests.packages.urllib3.disable_warnings() with direct imports: import urllib3; urllib3.disable_warnings().

Breaking Change: Certificate Validation Required by Default

• Where your code is affected: All HTTPS requests throughout the codebase (multiple alerters use requests.post() and requests.get())

• Impact: urllib3 1.25.0+ requires and validates certificates by default. If the codebase connects to services with self-signed certificates without explicitly setting verify=False, connections will fail with SSL verification errors.

• Remediation: Review all HTTPS connections and ensure proper certificate handling - either provide valid certificates or explicitly set verify=False where appropriate (already done in some alerters like HipChatAlerter and StrideAlerter).

All breaking changes by upgrading urllib3 from version 1.23 to 2.7.0 (CHANGELOG)

Version	Description
1.24.0	Drop support for EOL Python 2.6
1.25.0	Require and validate certificates by default when using HTTPS
1.25.0	Upgraded urllib3.utils.parse_url() to be RFC 3986 compliant
1.25.0	Switched the default multipart header encoder from RFC 2231 to HTML 5 working draft
2.0.0	Removed support for Python 2.7, 3.5, and 3.6
2.0.0	Removed fallback on certificate commonName in match_hostname() function
2.0.0	Removed support for Python with an ssl module compiled with LibreSSL, CiscoSSL, wolfSSL, and all other OpenSSL alternatives
2.0.0	Removed support for OpenSSL versions earlier than 1.1.1 or that don't have SNI support
2.0.0	Removed the list of default ciphers for OpenSSL 1.1.1+ and SecureTransport
2.0.0	Removed urllib3.contrib.appengine.AppEngineManager and support for Google App Engine Standard Environment
2.0.0	Removed deprecated Retry options method_whitelist, DEFAULT_REDIRECT_HEADERS_BLACKLIST
2.0.0	Removed urllib3.HTTPResponse.from_httplib
2.0.0	Removed default value of None for the request_context parameter of urllib3.PoolManager.connection_from_pool_key
2.0.0	Removed the urllib3.request module
2.0.0	Removed support for SSLv3.0 from the urllib3.contrib.pyopenssl
2.0.0	Removed the deprecated urllib3.contrib.ntlmpool module
2.0.0	Removed DEFAULT_CIPHERS, HAS_SNI, USE_DEFAULT_SSLCONTEXT_CIPHERS from urllib3.util.ssl_
2.0.0	Removed urllib3.exceptions.SNIMissingWarning
2.0.0	Removed the _prepare_conn method from HTTPConnectionPool
2.0.0	Removed tls_in_tls_required property from HTTPSConnection
2.0.0	Removed the strict parameter/attribute from HTTPConnection, HTTPSConnection, HTTPConnectionPool, HTTPSConnectionPool, and HTTPResponse
2.0.0	Changed urllib3.response.HTTPResponse.read to respect the semantics of io.BufferedIOBase regardless of compression
2.0.0	Changed urllib3.HTTPConnection.getresponse to return an instance of urllib3.HTTPResponse instead of http.client.HTTPResponse
2.0.0	Changed default SSLContext.minimum_version to be TLSVersion.TLSv1_2
2.0.0	Changed urllib3.util.create_urllib3_context to not override the system cipher suites with a default value
2.0.0	Changed multipart/form-data header parameter formatting matches the WHATWG HTML Standard
2.0.0	Changed the error raised when connecting via HTTPS when the ssl module isn't available from SSLError to ImportError
2.0.0	Changed enforce_content_length default to True
2.0.0	Changed all parameters in the HTTPConnection and HTTPSConnection constructors to be keyword-only except host and port
2.1.0	Removed support for the deprecated urllib3[secure] extra
2.1.0	Removed support for the deprecated SecureTransport TLS implementation
2.1.0	Removed support for the end-of-life Python 3.7
2.3.0	Removed support for Python 3.8
2.6.0	Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers
2.6.0	Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default)
2.6.0	The number of allowed chained encodings is now limited to 5

All breaking changes by upgrading requests from version 2.0.0 to 2.33.0 (CHANGELOG)

Version	Description
2.2.0	New exception: ContentDecodingError. Raised instead of urllib3 DecodeError exceptions.
2.3.0	The timeout parameter now affects requests with both stream=True and stream=False equally.
2.5.0	Restrict requests to HTTP/1.1 and HTTP/1.0 (stop accepting HTTP/0.9)
2.11.0	Fixed issue where responses whose body had not been fully consumed would have the underlying connection closed but not returned to the connection pool, which could cause Requests to hang in situations where the HTTPAdapter had been configured to use a blocking connection pool.
2.11.0	Some previous releases accidentally accepted non-strings as acceptable header values. This release does not.
2.11.0	Reject header values that contain leading whitespace or newline characters to reduce risk of header smuggling.
2.11.0	Fixed occasional TypeError when attempting to decode a JSON response that occurred in an error case. Now correctly returns a ValueError.
2.11.0	Added type checks to ensure that iter_content only accepts integers and None for chunk sizes.
2.14.0	When users provide invalid paths to certificate bundle files or directories Requests now raises IOError, rather than failing at the time of the HTTPS request with a fairly inscrutable certificate validation error.
2.14.0	Restricted HTTPDigestAuth to only respond to auth challenges made on 4XX responses, rather than to all auth challenges.
2.16.0	Unvendor ALL the things!
2.20.0	Requests has officially stopped support for Python 2.6.
2.22.0	Requests has officially stopped support for Python 3.4.
2.26.0	Requests has officially dropped support for Python 3.5.
2.27.0	Fixed urllib3 exception leak, wrapping urllib3.exceptions.InvalidHeader with requests.exceptions.InvalidHeader.
2.27.0	Fixed idna exception leak, wrapping UnicodeError with requests.exceptions.InvalidURL for URLs with a leading dot (.) in the domain.
2.28.0	Requests has officially dropped support for Python 2.7.
2.28.0	Requests has officially dropped support for Python 3.6 (including pypy3.6).
2.28.0	Parse header components consistently, raising an InvalidHeader error in all invalid cases.
2.28.0	Fixed urllib3 exception leak, wrapping urllib3.exceptions.SSLError with requests.exceptions.SSLError for content and iter_content.
2.30.0	Added support for urllib3 2.0. This may contain minor breaking changes so we advise careful testing and reviewing https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html prior to upgrading.
2.32.0	Dropped support for CPython 3.7.
2.32.0	Dropped support for PyPy 3.7 and 3.8.
2.33.0	Dropped support for Python 3.9 following its end of support.

✅ 19 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2020-14343	🚨 CRITICAL	[pyyaml] Arbitrary code execution vulnerability in YAML processing when handling untrusted input through full_load or FullLoader, allowing attackers to execute arbitrary code via malicious YAML constructs.
CVE-2017-18342	🚨 CRITICAL	[pyyaml] In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
CVE-2023-43804	HIGH	[urllib3] A vulnerability allows unintended cookie leakage via HTTP redirects to different origins when users specify a Cookie header without explicitly disabling redirects. This can lead to information disclosure as sensitive cookie data may be exposed to unintended recipients.
CVE-2026-44431	HIGH	[urllib3] Sensitive headers (Authorization, Cookie, Proxy-Authorization) are not stripped during cross-origin redirects when using low-level APIs via ProxyManager.connection_from_url().urlopen(), leading to potential credential disclosure to untrusted origins.
CVE-2019-11324	HIGH	[urllib3] SSL certificate verification can be bypassed when custom CA certificates are specified, allowing connections that should fail to succeed due to improper handling of certificate validation contexts.
CVE-2025-66471	HIGH	[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441	HIGH	[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2020-26137	MEDIUM	[urllib3] before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2024-37891	MEDIUM	[urllib3] The Proxy-Authorization header is not stripped during cross-origin redirects when set manually without using urllib3's proxy support, potentially leaking authentication credentials to malicious origins. This vulnerability requires manual header configuration, enabled redirects, and specific redirect conditions to be exploited.
CVE-2018-25091	MEDIUM	[urllib3] Authorization header is not removed when following cross-origin redirects, potentially exposing credentials to unintended hosts or transmitting them in cleartext.
CVE-2019-11236	MEDIUM	[urllib3] In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVE-2025-50181	MEDIUM	[urllib3] A vulnerability allows disabling redirects for all requests through improper PoolManager instantiation with retries configuration, potentially bypassing SSRF and open redirect mitigations. Applications relying on disabled redirects to prevent these vulnerabilities remain exposed to attacks.
CVE-2023-45803	MEDIUM	[urllib3] HTTP redirect responses (301, 302, 303) fail to remove request bodies when changing POST to GET, potentially leaking sensitive data to malicious redirect destinations. This information disclosure vulnerability requires a compromised trusted service to exploit.
CVE-2018-18074	HIGH	[requests] The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
CVE-2014-1830	MEDIUM	[requests] (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.
CVE-2024-35195	MEDIUM	[requests] A vulnerability allows certificate verification to be permanently disabled for a host after the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of parameter changes, enabling man-in-the-middle attacks.
CVE-2026-25645	MEDIUM	[requests] The extract_zipped_paths() utility function uses predictable filenames when extracting zip archives to the temp directory, allowing local attackers to pre-create malicious files that get loaded instead of legitimate ones, resulting in arbitrary code execution.
CVE-2014-1829	MEDIUM	[requests] (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.
CVE-2024-47081	MEDIUM	[requests] A URL parsing vulnerability allows maliciously-crafted URLs to leak .netrc credentials to third parties. This could enable credential theft and unauthorized access to authenticated services.

🔗 Related Tasks

• https://humansecurity.atlassian.net/browse/AIKIDO-460
• https://humansecurity.atlassian.net/browse/AIKIDO-1260
• https://humansecurity.atlassian.net/browse/AIKIDO-347
• https://humansecurity.atlassian.net/browse/AIKIDO-1164