fix: update PyTorch to 2.6.0+ to fix torch.load() RCE vulnerability

[Jkavia]

Summary

Updates PyTorch dependency from `>=2.0.0` to `>=2.6.0` to address a Remote Code Execution (RCE) vulnerability in `torch.load()` that affects versions prior to 2.6.0.

Vulnerability Details

• Issue: RCE vulnerability in PyTorch's `torch.load()` function
• Affected Versions: PyTorch < 2.6.0
• Patched Version: PyTorch 2.6.0+
• Severity: High - Allows arbitrary code execution when loading untrusted model files, even with `weights_only=True`

Changes Made

1. `pyproject.toml`

• Updated PyTorch constraint: `"torch>=2.0.0"` → `"torch>=2.6.0"`
• Updated onnxruntime constraint: `"onnxruntime>=1.20,<=1.23"` → `"onnxruntime>=1.20,<1.24"`
• Added inline comment documenting the security fix

2. `src/backend/base/pyproject.toml`

• Updated agent-lifecycle-toolkit: `"agent-lifecycle-toolkit~=0.4.4"` → `"agent-lifecycle-toolkit>=0.10.1"`
• Updated onnxruntime constraint: `"onnxruntime>=1.20,<=1.23"` → `"onnxruntime>=1.20,<1.24"`
• Added comments explaining compatibility requirements

Impact Assessment

Scope: Optional `[docling]` extra only

• PyTorch is not a core dependency of Langflow
• Only affects users who explicitly install: `pip install langflow[docling]`
• Used for document processing features via the docling integration

Risk Level: Low

• No direct usage of `torch.load()` in Langflow codebase
• PyTorch is only a transitive dependency through `langchain-docling`
• Optional feature, not installed by default

Compatibility Verification

No Breaking Changes

1. Dependency Resolution: Successfully resolves with PyTorch 2.10.0 (latest)
2. Test Results: All 15 docling-related tests pass
3. PyTorch 2.6.0 Changes: Main change is `torch.load()` defaulting to `weights_only=True` (the security fix itself)

Additional Updates

agent-lifecycle-toolkit (0.4.4 → 0.10.1)

• Required to avoid dependency conflicts with PyTorch 2.6.0+
• Version 0.4.4 pinned PyTorch to 2.2.2 (vulnerable)
• Version 0.10.1 supports PyTorch 2.5.1+ (compatible with 2.6.0+)

onnxruntime constraint (`<=1.23` → `<1.24`)

• Allows patch versions like 1.23.2 required by agent-lifecycle-toolkit 0.10.1
• Functionally equivalent but provides better compatibility

Testing

```bash

Installation test

uv pip install -e ".[docling]" # Resolves successfully

Import test

python -c "import torch; print(torch.version)" # 2.10.0

Unit tests

pytest src/backend/tests/unit/components/docling/ -v # 14/14 passed
pytest src/backend/tests/unit/components/files_and_knowledge/ -k docling # 1/1 passed
```

References

• PyTorch 2.6.0 Release Notes: https://github.com/pytorch/pytorch/releases/tag/v2.6.0
• Security Advisory: RCE in `torch.load()` with `weights_only=True`

JIRA: https://datastax.jira.com/browse/LE-705
Security issue:
https://github.com/langflow-ai/langflow/security/dependabot/483
https://github.com/langflow-ai/langflow/security/dependabot/415

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d3edef81-a2b3-4d1b-a5e3-329421bfc551

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch depbot-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.03%. Comparing base (41d34b2) to head (dce280e).
⚠️ Report is 1 commits behind head on release-1.9.0.

❌ Your project status has failed because the head coverage (44.71%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@                Coverage Diff                @@
##           release-1.9.0   #12323      +/-   ##
=================================================
- Coverage          48.23%   48.03%   -0.20%     
=================================================
  Files               1848     1847       -1     
  Lines             160885   161548     +663     
  Branches           23643    23699      +56     
=================================================
- Hits               77607    77605       -2     
- Misses             82394    83059     +665     
  Partials             884      884              

Flag	Coverage Δ
backend	54.96% <ø> (+0.09%)	⬆️
frontend	47.29% <ø> (-0.31%)	⬇️
lfx	44.71% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 218 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	26.68% (27018/101229)	63.32% (3345/5282)	28.82% (639/2217)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
2784	0 💤	0 ❌	0 🔥	3m 59s ⏱️

[ogabrielluiz]

Code review

Found 2 issues:

1. torchvision>=0.15.0 not bumped alongside torch>=2.6.0 -- torchvision has strict PyTorch version coupling (0.15.x is for PyTorch 2.0.x, 0.21.x is for PyTorch 2.6.x). A resolver could pick an incompatible older version. This was flagged in previous PRs (#11833, reverted in #11882).

langflow/pyproject.toml

Lines 110 to 113 in 9cc4ed3

	# Updated to 2.6.0+ to address CVE: RCE vulnerability in torch.load() with weights_only=True
	"torch>=2.6.0",
	"torchvision>=0.15.0",
	]

2. agent-lifecycle-toolkit>=0.10.1 has no upper bound. Previous pin was ~=0.4.4 (capped at <0.5). Consider >=0.10.1,<1.0 or ~=0.10.1. Also note that 0.10.1 transitively pulls litellm<2.0.0, which branch fix/remove-litellm-dependency was actively removing.

langflow/src/backend/base/pyproject.toml

Lines 316 to 318 in 9cc4ed3

	# Updated to 0.10.1+ for PyTorch 2.6.0 compatibility (addresses torch.load RCE vulnerability)
	altk = ["agent-lifecycle-toolkit>=0.10.1"]

[Jkavia]

@ogabrielluiz thanks for those insights, will make an update.