CGA-2qxg-wp8f-xghh

The vulnerable pillow-10.2.0 and requests-2.31.0 wheel files are bundled as part of pyodide's pre-downloaded package cache in the open-webui frontend. These packages are only installed at runtime in the browser's isolated Python environment when users execute Python code blocks that import these specific libraries (e.g., when code contains import requests or uses matplotlib which depends on pillow). The packages are installed dynamically via pyodide's micropip installer and do not affect the server-side application or system Python environment. Remediation requires an upstream fix from the pyodide project to update their bundled package versions, as open-webui depends on pyodide 0.27.3 which includes these specific vulnerable versions.