Summary
genie.libs.sdk directly pins pyasn1==0.6.0, which is affected by published denial-of-service CVEs.
The issue still appears present in the current genie.libs.sdk release: the middle SNMP dependency has been updated, but the direct pyasn1==0.6.0 pin remains.
Dependency path
application requirements
└── pyats[full]
└── genie
└── genie.libs.sdk
└── pyasn1==0.6.0
Notes
This does not appear to be caused by pysnmp pinning pyasn1==0.6.0.
Observed package metadata:
genie.libs.sdk==26.3:
pysnmp<6.2,>=6.1.4
pyasn1==0.6.0
genie.libs.sdk==26.6:
pysnmp==7.1.22
pyasn1==0.6.0
pysnmp==6.1.4:
pyasn1!=0.5.0,>=0.4.8
pysnmp==7.1.22:
pyasn1!=0.5.0,>=0.4.8
Security issue
pyasn1==0.6.0 is below the patched versions for known DoS vulnerabilities in ASN.1 decoding.
CVE-2026-23490: fixed in pyasn1 0.6.2
CVE-2026-30922: fixed in pyasn1 0.6.3
CVE-2026-59885: fixed in pyasn1 0.6.4
Minimum safe target:
Recommended fix
Update genie.libs.sdk package metadata to remove the exact pyasn1==0.6.0 pin and allow a patched version, preferably:
Summary
genie.libs.sdkdirectly pinspyasn1==0.6.0, which is affected by published denial-of-service CVEs.The issue still appears present in the current
genie.libs.sdkrelease: the middle SNMP dependency has been updated, but the directpyasn1==0.6.0pin remains.Dependency path
Notes
This does not appear to be caused by
pysnmppinningpyasn1==0.6.0.Observed package metadata:
Security issue
pyasn1==0.6.0is below the patched versions for known DoS vulnerabilities in ASN.1 decoding.Minimum safe target:
Recommended fix
Update
genie.libs.sdkpackage metadata to remove the exactpyasn1==0.6.0pin and allow a patched version, preferably: