From 5e1a95a7852a71a9b05f06fc0805f42597a38b12 Mon Sep 17 00:00:00 2001
From: Case36 <case36@example.com>
Date: Sat, 30 May 2026 16:41:36 +0800
Subject: [PATCH 1/2] fix: bump nltk lower bound to 3.9.3 to address
 CVE-2025-14009 (fixes #2269)

---
 packages/graphrag/pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/graphrag/pyproject.toml b/packages/graphrag/pyproject.toml
index f9fa8b537..7d1bc0cb5 100644
--- a/packages/graphrag/pyproject.toml
+++ b/packages/graphrag/pyproject.toml
@@ -46,7 +46,7 @@ dependencies = [
     "graspologic-native~=1.2",
     "json-repair~=0.30",
     "networkx~=3.4",
-    "nltk~=3.9",
+    "nltk>=3.9.3",
     "numpy~=2.1",
     "pandas~=2.3",
     "pyarrow~=22.0",

From cecdf8adb3256758aa5747e89540cd031ac6496e Mon Sep 17 00:00:00 2001
From: Case37 <case37@example.com>
Date: Sat, 30 May 2026 16:48:41 +0800
Subject: [PATCH 2/2] fix: validate embedding vector dimensions before vector
 store insertion (ref #2265)

---
 .../graphrag/index/operations/embed_text/embed_text.py     | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/packages/graphrag/graphrag/index/operations/embed_text/embed_text.py b/packages/graphrag/graphrag/index/operations/embed_text/embed_text.py
index 59424272d..b1f5db805 100644
--- a/packages/graphrag/graphrag/index/operations/embed_text/embed_text.py
+++ b/packages/graphrag/graphrag/index/operations/embed_text/embed_text.py
@@ -133,6 +133,13 @@ async def _flush_embedding_buffer(
             )
         )
 
+    if documents:
+        dims = {len(d.vector) for d in documents}
+        if len(dims) > 1:
+            msg = f"Inconsistent embedding dimensions: {dims}. Check that your embedding model returns consistent vector sizes."
+            callbacks.error(msg)
+            raise ValueError(msg)
+
     vector_store.load_documents(documents)
 
     if skipped > 0: