Skip to content

[Aikido] Fix 26 security issues in aiohttp, pypdf, fastmcp and 6 more#67

Closed
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-31534368-rq86
Closed

[Aikido] Fix 26 security issues in aiohttp, pypdf, fastmcp and 6 more#67
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-31534368-rq86

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented May 8, 2026

Copy link
Copy Markdown
Contributor

Upgrade dependencies to fix critical buffer overflow in cryptography and multiple AIOHTTP vulnerabilities including header injection, DoS, and information disclosure.

✅ 26 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2026-39892
 
🚨 CRITICAL
 [cryptography] Non-contiguous buffers passed to cryptographic APIs can cause buffer overflows, potentially leading to memory corruption and arbitrary code execution. 
CVE-2026-34073
 
MEDIUM
 [cryptography] DNS name constraint validation was incomplete, only checking Subject Alternative Names in child certificates but not the peer name during validation, allowing constrained domains to bypass restrictions through wildcard certificates. 
CVE-2026-34520
 
🚨 CRITICAL
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4. 
CVE-2026-34515
 
HIGH
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4. 
CVE-2026-34516
 
HIGH
 [aiohttp] A response with an excessive number of multipart headers can consume more memory than intended, leading to a denial of service (DoS) vulnerability through resource exhaustion. 
CVE-2026-34513
 
HIGH
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4. 
CVE-2026-22815
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4. 
CVE-2026-34525
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4. 
CVE-2026-34514
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4. 
CVE-2026-34517
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4. 
CVE-2026-34518
 
MEDIUM
 [aiohttp] When following redirects to a different origin, the framework fails to drop the Cookie and Proxy-Authorization headers alongside the Authorization header, potentially leaking sensitive authentication credentials to untrusted domains. 
CVE-2026-34519
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4. 
CVE-2026-33699
 
HIGH
 [pypdf] A crafted PDF can trigger an infinite loop when processed in non-strict mode, causing a denial of service. This vulnerability allows attackers to crash or hang applications that parse untrusted PDF files. 
CVE-2026-41312
 
MEDIUM
 [pypdf] A crafted PDF with compressed streams using /FlateDecode and specific predictor parameters can exhaust system RAM, causing a denial of service attack. The vulnerability occurs during PDF parsing when processing streams with predictor values other than 1 and large parameters. 
CVE-2026-41313
 
MEDIUM
 [pypdf] A crafted PDF with a large trailer /Size value can cause excessive runtime when loaded in incremental mode, leading to denial of service. The vulnerability allows attackers to create PDFs that consume significant processing resources. 
CVE-2026-41314
 
MEDIUM
 [pypdf] A crafted PDF with a /FlateDecode image using large size values can exhaust system RAM, causing a denial of service. This memory exhaustion vulnerability has been patched to prevent excessive resource consumption during PDF processing. 
CVE-2026-40260
 
MEDIUM
 [pypdf] Manipulated XMP metadata entity declarations in PDF files can cause excessive RAM consumption, leading to denial of service. An attacker can craft a malicious PDF that exhausts memory when its XMP metadata is parsed. 
CVE-2026-41168
 
MEDIUM
 [pypdf] A crafted PDF with malicious cross-reference streams or object streams can cause excessive processing time, leading to denial of service. An attacker can exploit this by specifying incorrect large /Size or /N values to trigger long runtimes during PDF parsing. 
CVE-2026-42561
 
HIGH
 [python-multipart] Denial of service vulnerability in multipart part header parsing allows attackers to cause CPU exhaustion by sending requests with many repeated headers or oversized header values, impacting ASGI applications. 
CVE-2026-40347
 
MEDIUM
 [python-multipart] A denial of service vulnerability exists in multipart form-data parsing when handling requests with large preamble or epilogue sections. Attackers can craft malicious requests to cause excessive processing and resource consumption. 
AIKIDO-2026-10734
 
MEDIUM
 [fastmcp] File size limit bypass in FileUpload store_files tool due to trusting client-controlled size field instead of validating actual decoded payload size, enabling resource exhaustion and storage abuse through oversized uploads. 
AIKIDO-2026-10735
 
MEDIUM
 [fastmcp] The package unconditionally forwards inbound Authorization headers when connecting sessions, allowing attackers to leak credentials to unrelated MCP servers through tool invocations, potentially causing authentication bypass or unauthorized access. 
CVE-2026-25645
 
MEDIUM
 [requests] The extract_zipped_paths() utility function uses predictable filenames when extracting zip archives to the temp directory, allowing local attackers to pre-create malicious files that get loaded instead of legitimate ones, resulting in arbitrary code execution. 
AIKIDO-2026-10472
 
MEDIUM
 [mcp] Command injection vulnerability in example code that executes shell commands with unsanitized user-controlled URLs, allowing attackers to inject arbitrary commands and achieve remote code execution. 
CVE-2026-41425
 
MEDIUM
 [authlib] is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. 
CVE-2026-4539
 
LOW
 [pygments] A regular expression denial of service (ReDoS) vulnerability exists in the AdlLexer function that can be exploited locally to cause inefficient processing and potential denial of service. The vulnerability requires local access to trigger the malicious input against the vulnerable regex pattern.

@aikido-autofix aikido-autofix Bot mentioned this pull request May 8, 2026
Closed
@aikido-autofix

aikido-autofix Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor Author

Closed by Aikido: a new AutoFix has been created → #69

@aikido-autofix aikido-autofix Bot closed this May 12, 2026
@aikido-autofix aikido-autofix Bot deleted the fix/aikido-security-update-packages-31534368-rq86 branch May 12, 2026 23:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants