Update dependency pydantic-settings to v2.14.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pydantic-settings (changelog)	2.13.1 → 2.14.2

---

pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size

GHSA-4xgf-cpjx-pc3j

More information

Details

Summary

NestedSecretsSettingsSource reads secret values from files in a configured secrets_dir. When secrets_nested_subdir=True, a directory entry inside secrets_dir that is a symbolic link pointing outside secrets_dir is followed, so files outside the configured directory are read into settings values. The same code path bypasses the documented secrets_dir_max_size protection. An attacker or lower-privileged component able to influence entries in the configured secrets directory (for example, a writable or shared secrets mount) can turn this into an unintended local file read into settings and can defeat the advertised loading-size cap. This report does not claim network reachability by itself.

Details

NestedSecretsSettingsSource performed two passes over secrets_dir using two different, inconsistent directory-traversal implementations:

• The size check in validate_secrets_path() used Path.glob('**/*'), which does not descend into a symbolically-linked directory.
• The loader in load_secrets() used glob.iglob(f'{path}/**/*', recursive=True) followed by read_text(), which does follow symlinked directories and reads through the link target.

Because the two passes disagreed on symlinks, a symlinked directory inside secrets_dir whose target lives elsewhere was invisible to the size accounting (counted as 0 bytes) while still being fully read by the loader. This produces two distinct problems:

1. Out-of-tree read (CWE-22 / CWE-59). A symlinked directory (or file) inside secrets_dir that resolves outside it is followed, and the external file's contents are loaded into the corresponding settings field.
2. secrets_dir_max_size bypass (CWE-400). The size check never sees the out-of-tree content, so the documented size cap is neither respected nor able to reject the oversized external file. A related amplification exists for cyclic in-tree symlinks, which glob.iglob(recursive=True) re-traverses, inflating the size accounting and the number of loaded secrets.

Reproduction

In a clean Linux container, with a secrets_dir containing a symlink secrets/db -> /path/outside and an outside/passwd file of 512 bytes, while secrets_dir_max_size=100:

from pydantic import BaseModel
from pydantic_settings import (
    BaseSettings,
    SettingsConfigDict,
    NestedSecretsSettingsSource,
)

class Db(BaseModel):
    passwd: str | None = None

class Settings(BaseSettings):
    model_config = SettingsConfigDict(
        secrets_dir='secrets',
        secrets_nested_subdir=True,
        secrets_dir_max_size=100,  # outside/passwd is 512 bytes
    )
    db: Db = Db()

    @​classmethod
    def settings_customise_sources(
        cls, settings_cls, init_settings, env_settings, dotenv_settings, file_secret_settings
    ):
        return (NestedSecretsSettingsSource(file_secret_settings),)

On affected versions, Settings().db.passwd is populated with the 512-byte out-of-tree file and no SettingsError is raised, even though the file exceeds secrets_dir_max_size.

Impact

Applications that opt into NestedSecretsSettingsSource with secrets_nested_subdir=True and load secrets from a directory whose entries can be influenced by an attacker or a lower-privileged component (for example, a writable or shared secrets mount, or a secrets directory partially populated from untrusted input) are affected. The impact is:

• Confidentiality: files outside the configured secrets_dir can be read into settings values (local file read).
• Integrity / availability of the safeguard: the advertised secrets_dir_max_size cap can be bypassed, and cyclic symlinks can inflate resource usage during loading.

The vulnerability requires the ability to place a symbolic link inside the configured secrets directory; it is not remotely reachable on its own. Applications that do not use NestedSecretsSettingsSource, or that point secrets_dir at a directory fully under the application's control, are not affected.

Mitigation

Upgrade to pydantic-settings 2.14.2, which:

• walks the secrets directory explicitly and only descends into directories whose resolved path stays within secrets_dir, so symlinked directories pointing outside are never followed;
• uses a single, cycle-safe iterator for both the size check and the loader, so the size accounting and the loaded set are always consistent and each real directory is visited at most once;
• skips any file whose resolved path escapes secrets_dir, as defense in depth.

If upgrading is not immediately possible, ensure the configured secrets_dir is fully owned and controlled by the application (no writable or attacker-influenced entries), or avoid secrets_nested_subdir=True.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

• https://github.com/pydantic/pydantic-settings/security/advisories/GHSA-4xgf-cpjx-pc3j
• https://github.com/advisories/GHSA-4xgf-cpjx-pc3j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pydantic/pydantic-settings (pydantic-settings)

v2.14.2

Compare Source

v2.14.1

Compare Source

What's Changed

• Bump the python-packages group with 4 updates by @​dependabot[bot] in #​850
• Bump the python-packages group with 5 updates by @​dependabot[bot] in #​854
• Bump the github-actions group with 3 updates by @​dependabot[bot] in #​853
• Bump the python-packages group with 2 updates by @​dependabot[bot] in #​856
• Fix field named cls conflicting with classmethod parameter by @​hramezani in #​858
• Prepare release 2.14.1 by @​hramezani in #​859

Full Changelog: pydantic/pydantic-settings@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed

• Fix parsing env vars into Optional Strict types by @​hramezani in #​792
• Fix RecursionError with mutually recursive models in CLI by @​hramezani in #​794
• Fix env_file from model_config ignored in CliApp.run() (#​795) by @​hramezani in #​796
• Update dependencies by @​hramezani in #​798
• Add Dependabot configuration by @​hramezani in #​801
• Bump samuelcolvin/check-python-version from 4.1 to 5 by @​dependabot[bot] in #​802
• Bump actions/upload-artifact from 4 to 7 by @​dependabot[bot] in #​803
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​804
• Bump astral-sh/setup-uv from 5 to 7 by @​dependabot[bot] in #​805
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in #​806
• Ignore chardet and group GitHub Actions in Dependabot by @​hramezani in #​808
• Bump actions/download-artifact from 4 to 8 in the github-actions group by @​dependabot[bot] in #​809
• Bump the python-packages group with 2 updates by @​dependabot[bot] in #​810
• Support reading .env files from FIFOs (e.g. 1Password Environments) by @​JacobHayes in #​776
• Fix AliasChoices ignored when changing provider priority by @​hramezani in #​813
• fix: resolve KeyError in run_subcommand for underscore field names by @​bradykieffer in #​799
• Bump the python-packages group with 3 updates by @​dependabot[bot] in #​814
• Fix Literal[numeric Enum] coercion for CLI and env vars by @​m9810223 in #​811
• Fix nested discriminated unions not discovered by env/CLI providers by @​hramezani in #​816
• Bump the python-packages group with 3 updates by @​dependabot[bot] in #​820
• CLI ensure env nested max split internally. by @​kschwab in #​821
• Bump the python-packages group with 4 updates by @​dependabot[bot] in #​824
• Migrate boto3-stubs to types-boto3 by @​hramezani in #​831
• Fix CLI not recognizing field name with validate_by_name and AliasChoices by @​hramezani in #​826
• Allow customisation of the dotevn setting source to filter variables by @​CaselIT in #​832
• Bump the python-packages group with 3 updates by @​dependabot[bot] in #​833
• Introduce yamlfmt by @​Viicos in #​836
• Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group by @​dependabot[bot] in #​837
• Introduce zizmor by @​Viicos in #​838
• Fix CliPositionalArg[list[CustomType]] crash for custom types by @​hramezani in #​839
• Add note about Mypy plugin for BaseSettings.__init__() by @​Viicos in #​842
• Fix cli_ignore_unknown_args=True not working on subcommands by @​hramezani in #​844
• Bump the python-packages group with 4 updates by @​dependabot[bot] in #​847
• Fix CLI descriptions lost under python -OO by falling back to json_schema_extra by @​hramezani in #​843
• Prepare release 2.14.0 by @​hramezani in #​848

New Contributors

• @​dependabot[bot] made their first contribution in #​802
• @​JacobHayes made their first contribution in #​776
• @​bradykieffer made their first contribution in #​799
• @​CaselIT made their first contribution in #​832

Full Changelog: pydantic/pydantic-settings@v2.13.1...v2.14.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Sonar insights (advisory, no merge-block)

Snapshot of bernstein on the configured Sonar instance:

Metric	Value
Coverage	80.1
Code smells	0
Bugs	0
Vulnerabilities	0
Security hotspots	0

Run bernstein doctor sonar locally for the full surface.

This comment is a soft signal. The Sonar scan runs on push to main; the PR check itself never fails on smells.

[github-actions]

Review-bot acknowledgement summary

• Must-address findings: 0 (0 acknowledged, 0 open)
• Informational findings: 0

All must-address findings are resolved or acknowledged.

[github-actions]

bernstein doctor observe for PR #2077 (renovate/pypi-pydantic-settings-vulnerability): ok=1, warn=0, fail=1, error=0, skipped=2

sonar -- OK (project bernstein)

metric	value	delta	threshold	status
coverage_pct	80.1%	new	80.0%	ok
code_smells	0	new	50	ok
bugs	0	new	0	ok
vulnerabilities	0	new	0	ok
security_hotspots	0	new	0	ok

code-scanning -- FAIL (41 open alert(s))

metric	value	delta	threshold	status
open_alerts	41	new	0	fail
critical_alerts	1	new	0	fail
high_alerts	16	new	0	fail
medium_alerts	6	new	-	ok
low_alerts	1	new	-	ok

Skipped backends (credentials not configured)

• glitchtip: BERNSTEIN_GLITCHTIP_TOKEN not set
• dt: DTRACK_URL/TOKEN/PROJECT not set

See docs/observability/unified-doctor.md for backend setup notes.