Alert Inspector UI container for the VSS event reviewer usecase
The VSS Alert Inspector UI Microservice is part of the NVIDIA Video Search and Summarization Blueprint used as part ot the event reviewer deployment.
VSS User Guide
User Guide is available at: https://docs.nvidia.com/vss/index.html
NOTE: This project will download and install additional third-party open source software projects. Review the license terms of these open source projects before use.
Known CVEs
VSS Alert Inspector UI container 2.4.1 has following known CVEs:
| CVE | Description |
|---|---|
| CVE-2025-53000 | This impacts nbconvert python package. This does not affect VSS since this is applicable only on Windows. |
| CVE-2025-68973 | This impacts gnupg < 2.4.8. This does not affect VSS since it does not implement GPG encryption. |
| GHSA-58pv-8j8x-9vj2 | This impacts jaraco.context < 6.1.0 python package. This does not affect VSS since it does not install user provided python packages. |
| CVE-2026-21441 | This affects urllib3 < 2.6.3 python package. This does not affect VSS since it does not access user provided URLs at runtime. |
| CVE-2024-8966 | This impacts gradio <= 5.22.0 python package, This impacts the file upload functionality of Gradio UI where an attacker can cause Denial-of-Service (DoS) attack by appending a large number of characters to the end of a multipart boundary. This does not affect VSS since the underlying root cause is already fixed by having a newer version 0.0.18 of python-multipart which does not have this vulnerability. |
VSS Alert Inspector UI container 2.4.0 (previous version) has following known CVEs:
| CVE | Description |
|---|---|
| CVE-2025-4565 | This impacts protobuf < 4.25.8 python package, This impacts parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags leading to unbounded recursions and potential Denial-of-Service when protobuf pure-Python backend is used. This does not affect VSS since python backend of protobuf is not used. |
| CVE-2025-48379 | This impacts pillow < 11.3.0 There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This can be remedied by upgrading to pillow 11.3.0. This package is not used directly within the Microservice, it is installed as a dependency. |
Deployment Note
The Video Search and Summarization Blueprint is shared as reference and is provided "as is". The security in the production environment is the responsibility of the end users deploying it. When deploying in a production environment, please have security experts review any potential risks and threats; define the trust boundaries, implement logging and monitoring capabilities, secure the communication channels, integrate AuthN & AuthZ with appropriate access controls, keep the deployment up to date, ensure the containers/source code are secure and free of known vulnerabilities. The end users are also responsible for ensuring integrity and authenticity of the models and containers.
GOVERNING TERMS
This blueprint is governed by the NVIDIA Software License Agreement and Product-Specific Terms for NVIDIA AI Products and enables use of separate open source and proprietary software and models governed by their respective licenses: NVIDIA Cosmos-Reason2-8B, NVIDIA Cosmos Reason 1-7B, ReIdentificationNet, Grounding Dino, Facebook Research SAM2, Llama 3.1 70B Instruct NIM, NVIDIA Retrieval QA Llama 3.2 1B Reranking v2 NIM, and NVIDIA Retrieval QA Llama 3.2 1B Embedding v2 NIM. Use of the sample data is governed by the NVIDIA Sample Data License. ADDITIONAL INFORMATION: Apache 2.0 for SAM2. Llama 3.1 Community License Agreement and Llama 3.2 Community License Agreement. Built with Llama.