Skip to content

Commit 818cfd2

Browse files
committed
chore(release): bump version to 5.1.2
- Bump core APP_VERSION, pyproject.toml, sdk-ts/package.json, sdk-rust/Cargo.toml, sdk-rust/README.md, k8s deployment image tag - Add CHANGELOG entry for v5.1.2 (CWE-95, CVSS 8.8) - Update README release section
1 parent 6066b68 commit 818cfd2

8 files changed

Lines changed: 34 additions & 13 deletions

File tree

CHANGELOG.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,27 @@ All notable changes to the QWED Protocol will be documented in this file.
44

55
## [Unreleased]
66

7+
## [5.1.2] - 2026-06-14
8+
### Security: SymPy Expression Injection Fix (CWE-95)
9+
10+
Emergency patch fixing a **High severity (CVSS 8.8) authenticated RCE vulnerability** in SymPy `parse_expr()` across all math verification paths.
11+
12+
#### Security Fix
13+
- **CWE-95 mitigation**: Added `safe_parse_expr()` wrapper with denylist, stripped `__builtins__`, allow-listed math namespace, per-call global dict copy, and post-parse validation. Replaced all 17 direct `parse_expr()` call sites in `main.py`, `verifier.py`, `batch.py`, and `validator.py`.
14+
- **Symbol consistency**: Added `get_safe_symbol()` to ensure calculus variables (`n`, Greek letters) match special SymPy assumptions, preventing incorrect `diff`/`integrate`/`limit` results.
15+
- **Defense-in-depth**: Pre-parse AST depth limit, post-parse SymPy tree depth validation, `sympy.Expr` type enforcement, `extra_symbols` key/value validation, and sanitized exception handling.
16+
17+
#### Fixes and Hardening
18+
- **Cache Redis fail-closed**: Enforced fail-closed Redis backend for distributed cache mode (PR #199).
19+
- **Benchmarks CI**: CodSpeed performance benchmark workflow added (PR #198).
20+
- **TS SDK lockfile**: Restored `package-lock.json` for reliable `npm ci` in publish workflow (PR #197).
21+
22+
#### Included PRs since v5.1.1
23+
- `#197` fix(ts-sdk): lockfile restore for npm ci publish
24+
- `#198` ci: CodSpeed performance benchmarks
25+
- `#199` fix(cache): fail-closed Redis backend for distributed mode
26+
- `#200` fix(math): restrict sympy expression parsing (CWE-95)
27+
728
## [5.1.1] - 2026-05-21
829
### Release Consistency and Fail-Closed Follow-Through
930

README.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -60,16 +60,16 @@
6060

6161
---
6262

63-
## Release Update: v5.1.1
63+
## Release Update: v5.1.2
6464

65-
`v5.1.1` is a patch release focused on **fail-closed follow-through and release consistency** after `v5.1.0`.
65+
`v5.1.2` is an **emergency security patch** fixing a **High severity (CVSS 8.8) authenticated RCE vulnerability** via unsafe SymPy `parse_expr()` calls.
6666

67-
- Tightens cache trust-context binding to prevent cross-context verification replay
68-
- Hardens attestation and audit paths toward stricter fail-closed behavior
69-
- Cleans up proof-path handling across reasoning, symbolic, batch, and agent-service flows
70-
- Aligns package versions, API version markers, SDK metadata, and deployment references for a clean release boundary
67+
- **CWE-95 fix**: All 17 direct `parse_expr()` calls replaced with `safe_parse_expr()` — denylist + stripped builtins + allow-listed math namespace
68+
- **Calculus symbol consistency**: Fixed `n` variable mismatch in derivatives, integrals, and limits
69+
- **Defense-in-depth**: AST depth limits, SymPy tree validation, relational expression rejection
70+
- Cache Redis fail-closed hardening, CodSpeed benchmarks, TS SDK lockfile fixes
7171

72-
If you're upgrading from `v5.1.0`, review the [changelog](CHANGELOG.md) for deployment/image reference updates and patch-level boundary hardening notes.
72+
If you're upgrading from `v5.1.1`, review the [changelog](CHANGELOG.md) for the full security advisory details.
7373

7474
---
7575

deploy/kubernetes/deployment.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ spec:
1717
spec:
1818
containers:
1919
- name: qwed-core
20-
image: docker.io/qwedai/qwed-verification:5.1.1
20+
image: docker.io/qwedai/qwed-verification:5.1.2
2121
imagePullPolicy: IfNotPresent
2222
ports:
2323
- containerPort: 8000

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[project]
22
name = "qwed"
3-
version = "5.1.1"
3+
version = "5.1.2"
44
description = "The Deterministic Verification Protocol for AI - 11 verification engines for math, logic, code, SQL, facts, images, and more. Now with Agentic Security Guards."
55
authors = [
66
{name = "QWED Team", email = "rahul@qwedai.com"},

sdk-rust/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "qwed"
3-
version = "5.1.1"
3+
version = "5.1.2"
44
edition = "2021"
55
authors = ["QWED-AI"]
66
description = "Rust SDK for QWED Verification Protocol"

sdk-rust/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ Add to your `Cargo.toml`:
1111

1212
```toml
1313
[dependencies]
14-
qwed = "5.1.1"
14+
qwed = "5.1.2"
1515
tokio = { version = "1.0", features = ["rt-multi-thread", "macros"] }
1616
```
1717

sdk-ts/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@qwed-ai/sdk",
3-
"version": "5.1.1",
3+
"version": "5.1.2",
44
"description": "TypeScript SDK for QWED Verification Protocol",
55
"main": "dist/index.js",
66
"module": "dist/index.mjs",

src/qwed_new/api/main.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
SessionDependency = Annotated[Session, Depends(get_session)]
3333
AgentTokenHeader = Annotated[str, Header(...)]
3434

35-
APP_VERSION = "5.1.1"
35+
APP_VERSION = "5.1.2"
3636

3737
app = FastAPI(
3838
title="QWED API",

0 commit comments

Comments
 (0)