IAG 4.3.13 focuses on security hardening. Key updates include resolution of dependency vulnerabilities in the brace-expansion and ajv packages, and a fix for a compliance issue with the ruamel package.
Automation Gateway Versions
| component |
version |
| automation_gateway |
4.3.64 |
Security fixes
| Issue |
Description |
| Updated brace-expansion to resolve infinite loop vulnerability (ENG-22127) |
Updated brace-expansion to versions 1.1.13 and 2.0.3 to resolve a Snyk-reported infinite loop vulnerability. |
| Updated ajv to resolve ReDoS vulnerability (ENG-21851) |
Bumped ajv to version 8.18.0 to resolve a Regular Expression Denial of Service (ReDoS) vulnerability. |
| Updated swagger-ui-react to resolve XSS and prototype pollution vulnerabilities (ENG-20690, ENG-21007, ENG-17041) |
Bumped swagger-ui-react to version 5.32.1 to resolve Cross-site Scripting (XSS) and Prototype Pollution vulnerabilities in the dompurify and js-yaml dependencies. |
| Updated protobuf to resolve uncontrolled recursion vulnerability (ENG-18673) |
Resolved a high-severity vulnerability (CVE-2026-0994) in the protobuf package where deeply nested google.protobuf.Any messages could bypass the max_recursion_depth limit and trigger a RecursionError. |
Bug fixes
| Issue |
Description |
| Updated ruamel package for HSBC compliance (ENG-21356) |
Bumped the ruamel package to version 0.17.22 to align with HSBC compliance requirements. |