CVE-2025-66293: Document affected versions and patch workflow-tests

README.md

@@ -10,6 +10,10 @@ It provides nodes to write and execute Python scripts and functionality to make
 
 _The legacy Python integrations can be found at [knime-python-legacy](https://github.com/KNIME/knime-python-legacy)._
 
+## Security
+
+For information about known security vulnerabilities and their impact, see [SECURITY-ADVISORY-CVE-2025-66293.md](SECURITY-ADVISORY-CVE-2025-66293.md).
+
 ## Content
 
 This repository contains the source code for the KNIME Python Integration.

SECURITY-ADVISORY-CVE-2025-66293.md

@@ -0,0 +1,129 @@
+# Security Advisory: CVE-2025-66293
+
+## Overview
+
+This document provides an analysis of the impact of **CVE-2025-66293** on the knime-python repository and guidance for users.
+
+## CVE Details
+
+- **CVE ID**: CVE-2025-66293
+- **Severity**: High (CVSS 7.1)
+- **Vulnerability**: Out-of-bounds read in libpng simplified API
+- **Affected versions**: libpng < 1.6.52
+- **Fixed version**: libpng >= 1.6.52
+- **Impact**: Potential crashes or denial of service when processing malicious PNG files with partial transparency and gamma correction
+
+## Affected Versions
+
+### Development Environment (pixi.lock)
+
+The main development environment uses libpng through the pixi/conda dependency management system.
+
+| Time Period | Commit | libpng Version | Status |
+|-------------|--------|----------------|--------|
+| June 2025 - November 2025 | 37f5d148 to fcd90691 | **1.6.47** | ❌ **VULNERABLE** |
+| November 2025 - January 2026 | cf0f5a87 to ee11f38e | **1.6.50** | ❌ **VULNERABLE** |
+| January 2026 onwards | f404f957+ | **1.6.54** | ✅ **PATCHED** |
+
+**Key dates:**
+- **2025-06-10**: libpng 1.6.47 introduced with pixi.toml (vulnerable)
+- **2025-11-11**: Updated to libpng 1.6.50 (still vulnerable)
+- **2026-01-26**: Updated to libpng 1.6.54 (patched)
+
+### Workflow Tests (workflow-tests/test-extension/pixi.lock)
+
+| Time Period | Commit | libpng Version | Status |
+|-------------|--------|----------------|--------|
+| September 2025 - February 2026 | adbd5847 to 3aeaddd | **1.6.50** | ❌ **VULNERABLE** |
+| February 2026 onwards | 99587b29+ | **1.6.54** | ✅ **PATCHED** |
+
+**Key dates:**
+- **2025-09-16**: libpng 1.6.50 introduced (vulnerable)
+- **2026-02-06**: Updated to libpng 1.6.54 (patched) - This PR
+
+## Impact Assessment
+
+### Who is Affected?
+
+1. **Developers using the development environment**:
+   - Anyone who cloned the repository between June 2025 and January 2026
+   - Developers using pixi environments created during this period
+
+2. **Workflow test environments**:
+   - Test environments created between September 2025 and February 2026
+
+### What is the Risk?
+
+The vulnerability could be exploited if:
+- A malicious PNG file is processed by Python code running in the affected environment
+- The PNG file contains partial transparency and gamma correction
+- Python packages that use libpng (e.g., Pillow, matplotlib) are used to process untrusted PNG files
+
+**Risk Level**: 
+- **High** for environments processing untrusted PNG files from external sources
+- **Medium** for development/testing environments with trusted input
+- **Low** for environments that don't process PNG files
+
+## Remediation
+
+### For Current Development
+
+✅ **Already Fixed**: The main repository now uses libpng 1.6.54 (as of commit f404f957 on 2026-01-26)
+
+✅ **Already Fixed**: The workflow-tests environment now uses libpng 1.6.54 (as of this PR)
+
+### For Users with Existing Environments
+
+If you have created a pixi environment from this repository before February 2026:
+
+1. **Update your environment**:
+   ```bash
+   cd /path/to/knime-python
+   git pull
+   pixi clean
+   pixi install
+   ```
+
+2. **Verify the libpng version**:
+   ```bash
+   pixi run python -c "import PIL; print(PIL.__version__)"
+   # Or check the lock file:
+   grep libpng pixi.lock
+   ```
+
+3. **Look for libpng 1.6.54** in the output - if you see 1.6.47 or 1.6.50, your environment needs updating.
+
+### For KNIME Analytics Platform Users
+
+**Note**: This vulnerability affects the **development environment** of knime-python, not the published KNIME Analytics Platform releases themselves.
+
+- KNIME Analytics Platform bundles its own Python environment
+- The pixi.lock files in this repository are used for development and testing only
+- Users of KNIME Analytics Platform should check with KNIME support for information about their specific version
+
+To check if your KNIME installation is affected:
+1. Contact KNIME support for version information
+2. Check the KNIME release notes for security updates
+3. Update to the latest KNIME Analytics Platform version
+
+## Timeline
+
+- **2025-06-10**: Vulnerable libpng 1.6.47 introduced in development environment
+- **2025-09-16**: Vulnerable libpng 1.6.50 introduced in workflow-tests
+- **2025-11-11**: Development environment updated to libpng 1.6.50 (still vulnerable)
+- **2025-12-XX**: libpng 1.6.52 released (fixed CVE-2025-66293)
+- **2026-01-XX**: libpng 1.6.54 released
+- **2026-01-26**: Development environment updated to libpng 1.6.54 (patched)
+- **2026-02-06**: Workflow-tests environment updated to libpng 1.6.54 (patched) - This PR
+
+## References
+
+- [CVE-2025-66293 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-66293)
+- [libpng Security Advisory](https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f)
+- [libpng 1.6.54 Release](http://www.libpng.org/pub/png/libpng.html)
+
+## Contact
+
+For questions or concerns:
+- Open an issue in the [knime-python repository](https://github.com/knime/knime-python/issues)
+- Contact KNIME Team Rakete: team-rakete@knime.com

workflow-tests/test-extension/pixi.toml

@@ -5,4 +5,5 @@ platforms = ["win-64", "linux-64", "osx-64", "osx-arm64"]
 
 [dependencies]
 python = ">=3.9"
-knime-python-versions = ">=5.7, <6.0"
+knime-python-versions = ">=5.7, <6.0"
+libpng = ">=1.6.52"