Hi, I am evaluating Prefect for use at our company. We use Snyk to detect vulnerabilities in our dependencies, and it turns out that prefect python package is vulnerable to CSRF https://security.snyk.io/vuln/SNYK-PYTHON-PREFECT-6068118 The issue had been already reported and assigned in Github. Is there any ETA when we can expect this to be fixed? https://github.com/PrefectHQ/prefect/issues/11380

Hey @Martin Votruba - thanks for the question. Prefect OSS (which more broadly ships without auth or many security features) is vulnerable to CSRF at this time. We’ve bundled this with a few other infosec items and expect to have this all patched up in the next month.

Perfect, I know that this vulnerability only manifest when running the server locally. However the high vuln alert in Snyk is not making my job of pushing for Prefect adoption at my company easier 🙃

Totally, I understand.

Hi @Will Raphaelson This alert just popped up for me in Github as well. Looks like we all need to upgrade to 2.16.5. Cross-Site Request Forgery vulnerability in Prefect High severity GitHub Reviewed Published on Nov 16, 2023 to the GitHub Advisory Database • Updated 17 minutes ago Vulnerability detailsDependabot alerts 3 Package prefect ( pip ) Affected versions

= 2.0.0, < 2.16.5

Patched versions 2.16.5 Description An attacker is able to steal secrets and potentially gain remote code execution via CSRF using a self-hosted, open source Prefect API. References

Thanks John. we fully patched up this vulnerability and are working to get the CVE resolved officially.

Great! I'm in the process of updating our repos to the latest version of Prefect to take care of this vulnerability (which is not a big one for us because we're on cloud)

Cloud is unaffected, this is just for our open source product.

@Chris Pickett Thanks for the heads up! Yes sir, I'm honestly updating because I need to anyways. It is nice to not have that Github security warning pop up as well.