mem0

vts-v3.0.6 scope: ts Security

This release includes 14 security fixes for security teams reviewing exposed deployments.

Published 2d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 14 known CVEs

Topics

agents ai ai-agents application chatbots chatgpt

+7 more

genai llm long-term-memory memory memory-management python state-management

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 2d

The release upgrades axios to ^1.16.0 to fix high-severity prototype‑pollution vulnerabilities that could enable credential theft, MITM attacks, and denial‑of‑service.

Why it matters: High‑severity (severity 90) prototype‑pollution CVEs in axios affect any project using the dependency; upgrading to ^1.16.0 eliminates these risks.

Summary

AI summary

Bumped axios and multiple transitive dependencies to remediate high‑severity prototype‑pollution CVEs.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Bumped axios to ^1.16.0 to remediate high-severity prototype-pollution vulnerabilities (credential theft, MITM, DoS). Bumped axios to ^1.16.0 to remediate high-severity prototype-pollution vulnerabilities (credential theft, MITM, DoS). Source: llm_adapter@2026-06-01 Confidence: high	—
Security	High	Pinned jws to 4.0.1 to address CVE-2025-65945. Pinned jws to 4.0.1 to address CVE-2025-65945. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Security	High	Pinned langsmith to ^0.6.0 to address CVE-2026-45134. Pinned langsmith to ^0.6.0 to address CVE-2026-45134. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Security	High	Pinned tar-fs to ^2.1.4 to address CVE-2025-48387 and CVE-2025-59343. Pinned tar-fs to ^2.1.4 to address CVE-2025-48387 and CVE-2025-59343. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Security	High	Pinned picomatch to ^2.3.2 to address CVE-2026-33671. Pinned picomatch to ^2.3.2 to address CVE-2026-33671. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Security	High	Pinned minimatch to ^3.1.3, ^5.1.8, and ^9.0.7 to address CVE-2026-27903, CVE-2026-27904, and CVE-2026-26996. Pinned minimatch to ^3.1.3, ^5.1.8, and ^9.0.7 to address CVE-2026-27903, CVE-2026-27904, and CVE-2026-26996. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Security	High	Pinned path-to-regexp to ^8.4.0 to address CVE-2026-4926. Pinned path-to-regexp to ^8.4.0 to address CVE-2026-4926. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Security	High	Pinned rollup to ^4.59.0 to address CVE-2026-27606. Pinned rollup to ^4.59.0 to address CVE-2026-27606. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Security	High	Pinned glob to ^10.5.0 to address CVE-2025-64756. Pinned glob to ^10.5.0 to address CVE-2025-64756. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Security	High	Pinned @modelcontextprotocol/sdk to ^1.25.4 to address CVE-2025-66414 and CVE-2026-0621. Pinned @modelcontextprotocol/sdk to ^1.25.4 to address CVE-2025-66414 and CVE-2026-0621. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—

Full changelog

Mem0 Node SDK (v3.0.6)

Security:

Dependencies: Bumped axios to ^1.16.0 to remediate high-severity prototype-pollution CVEs (credential theft, MITM, DoS). Pinned transitive dependencies via pnpm overrides: jws → 4.0.1 (CVE-2025-65945), langsmith → ^0.6.0 (CVE-2026-45134), tar-fs → ^2.1.4 (CVE-2025-48387, CVE-2025-59343), picomatch → ^2.3.2 (CVE-2026-33671), minimatch → ^3.1.3 / ^5.1.8 / ^9.0.7 (CVE-2026-27903, CVE-2026-27904, CVE-2026-26996), path-to-regexp → ^8.4.0 (CVE-2026-4926), rollup → ^4.59.0 (CVE-2026-27606), glob → ^10.5.0 (CVE-2025-64756), @modelcontextprotocol/sdk → ^1.25.4 (CVE-2025-66414, CVE-2026-0621)

Security Fixes

Bumped axios to ^1.16.0 (remediates high‑severity prototype‑pollution CVEs).
dep: jws → 4.0.1 (CVE-2025-65945)
dep: langsmith → ^0.6.0 (CVE-2026-45134)
dep: tar-fs → ^2.1.4 (CVE-2025-48387, CVE-2025-59343)
dep: picomatch → ^2.3.2 (CVE-2026-33671)
dep: minimatch → ^3.1.3 / ^5.1.8 / ^9.0.7 (CVE-2026-27903, CVE-2026-27904, CVE-2026-26996)
dep: path-to-regexp → ^8.4.0 (CVE-2026-4926)
dep: rollup → ^4.59.0 (CVE-2026-27606)
dep: glob → ^10.5.0 (CVE-2025-64756)
dep: @modelcontextprotocol/sdk → ^1.25.4 (CVE-2025-66414, CVE-2026-0621)
CVE-2025-59343
CVE-2026-27904
CVE-2026-26996
CVE-2026-0621

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track mem0

Get notified when new releases ship.

About mem0

Universal memory layer for AI Agents

All releases →

Related context

Related tools

Related CVEs

CVE-2025-48387 NVD KEV EPSS
CVE-2025-59343 NVD KEV EPSS
CVE-2025-64756 NVD KEV EPSS
CVE-2025-65945 NVD KEV EPSS
CVE-2025-66414 NVD KEV EPSS
CVE-2026-0621 NVD KEV EPSS
CVE-2026-26996 NVD KEV EPSS
CVE-2026-27606 NVD KEV EPSS
CVE-2026-27903 NVD KEV EPSS
CVE-2026-27904 NVD KEV EPSS
CVE-2026-33671 NVD KEV EPSS
CVE-2026-45134 NVD KEV EPSS
CVE-2026-4926 NVD KEV EPSS