Skip to content

[Aikido] Fix 44 security issues in cryptography, starlette, aiohttp and 11 more#75

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-47030551-unud
Open

[Aikido] Fix 44 security issues in cryptography, starlette, aiohttp and 11 more#75
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-47030551-unud

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Upgrade dependencies to fix critical buffer overflow, Host header validation bypass, and null byte injection vulnerabilities.

✅ 44 CVEs resolved by this upgrade, including 3 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2026-39892
 
🚨 CRITICAL
 [cryptography] Non-contiguous buffers passed to cryptographic APIs can cause buffer overflows, potentially leading to memory corruption and arbitrary code execution. 
CVE-2026-34073
 
MEDIUM
 [cryptography] DNS name constraint validation was incomplete, only checking Subject Alternative Names in child certificates but not the peer name during validation, allowing constrained domains to bypass restrictions through wildcard certificates. 
AIKIDO-2026-10923
 
🚨 CRITICAL
 [starlette] Improper Host header validation allows attackers to craft malicious headers with path or query delimiters, causing request.url.path to diverge from the actual requested path and potentially bypassing path-based security checks or authorization middleware. 
CVE-2026-48710
 
MEDIUM
 [starlette] The HTTP Host header was not validated before reconstructing request.url, allowing malformed headers to cause request.url.path to differ from the actual requested path. This could bypass security restrictions in middleware and endpoints that rely on request.url instead of the raw path. 
CVE-2026-34520
 
🚨 CRITICAL
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4. 
CVE-2026-34515
 
HIGH
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4. 
CVE-2026-34516
 
HIGH
 [aiohttp] A response with an excessive number of multipart headers can consume more memory than intended, leading to a denial of service (DoS) vulnerability through resource exhaustion. 
CVE-2026-34513
 
HIGH
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4. 
CVE-2026-47265
 
HIGH
 [aiohttp] Cookies set via the cookies parameter are sent after cross-origin redirects, potentially leaking sensitive data to attackers controlling redirects. This vulnerability allows information disclosure through cookie exposure across different origins. 
CVE-2026-34993
 
HIGH
 [aiohttp] CookieJar.load() with untrusted input allows arbitrary code execution through unsafe deserialization. This vulnerability impacts applications that load cookie files from untrusted sources. 
CVE-2026-22815
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4. 
CVE-2026-34525
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4. 
CVE-2026-34514
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4. 
CVE-2026-34517
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4. 
CVE-2026-34518
 
MEDIUM
 [aiohttp] When following redirects to a different origin, the framework fails to drop the Cookie and Proxy-Authorization headers alongside the Authorization header, potentially leaking sensitive authentication credentials to untrusted domains. 
CVE-2026-34519
 
MEDIUM
 [aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4. 
AIKIDO-2026-10825
 
HIGH
 [fastmcp] Redirect URI validation bypass allowing attackers to register malicious URIs that pass validation but normalize to unintended paths, potentially enabling open redirect attacks through dot-segment manipulation. 
AIKIDO-2026-10826
 
HIGH
 [fastmcp] OAuth proxy consent screen vulnerability allows cross-site requests to silently reuse remembered approvals without user interaction, enabling unauthorized authorization. The fix implements Sec-Fetch-Site validation to require interactive prompts for cross-site navigations and ensures approval cookies are only set when remembered-consent mode is enabled. 
AIKIDO-2026-10824
 
HIGH
 [fastmcp] Improper cache key generation allows callers with broader authorization scopes to poison the cache with unfiltered tool/resource/prompt payloads that narrower-scoped callers subsequently receive, bypassing authorization filters. 
AIKIDO-2026-10734
 
MEDIUM
 [fastmcp] File size limit bypass in FileUpload store_files tool due to trusting client-controlled size field instead of validating actual decoded payload size, enabling resource exhaustion and storage abuse through oversized uploads. 
AIKIDO-2026-10735
 
MEDIUM
 [fastmcp] The package unconditionally forwards inbound Authorization headers when connecting sessions, allowing attackers to leak credentials to unrelated MCP servers through tool invocations, potentially causing authentication bypass or unauthorized access. 
CVE-2026-33699
 
HIGH
 [pypdf] A crafted PDF can trigger an infinite loop when processed in non-strict mode, causing a denial of service. This vulnerability allows attackers to crash or hang applications that parse untrusted PDF files. 
CVE-2026-41312
 
MEDIUM
 [pypdf] A crafted PDF with compressed streams using /FlateDecode and specific predictor parameters can exhaust system RAM, causing a denial of service attack. The vulnerability occurs during PDF parsing when processing streams with predictor values other than 1 and large parameters. 
CVE-2026-41313
 
MEDIUM
 [pypdf] A crafted PDF with a large trailer /Size value can cause excessive runtime when loaded in incremental mode, leading to denial of service. The vulnerability allows attackers to create PDFs that consume significant processing resources. 
CVE-2026-41314
 
MEDIUM
 [pypdf] A crafted PDF with a /FlateDecode image using large size values can exhaust system RAM, causing a denial of service. This memory exhaustion vulnerability has been patched to prevent excessive resource consumption during PDF processing. 
CVE-2026-40260
 
MEDIUM
 [pypdf] Manipulated XMP metadata entity declarations in PDF files can cause excessive RAM consumption, leading to denial of service. An attacker can craft a malicious PDF that exhausts memory when its XMP metadata is parsed. 
CVE-2026-41168
 
MEDIUM
 [pypdf] A crafted PDF with malicious cross-reference streams or object streams can cause excessive processing time, leading to denial of service. An attacker can exploit this by specifying incorrect large /Size or /N values to trigger long runtimes during PDF parsing. 
AIKIDO-2026-10938
 
MEDIUM
 [pypdf] A vulnerability in PDF 1.5 cross-reference stream parsing allows crafted PDFs with zero-only /W width arrays and large /Size values to cause excessive iteration, leading to denial of service through hangs or prolonged processing times. 
AIKIDO-2026-10937
 
LOW
 [pypdf] Layout-mode text extraction can be exploited via crafted PDFs with extreme character position offsets to cause excessive memory allocation and potential denial of service through unbounded whitespace string generation. 
CVE-2026-42561
 
HIGH
 [python-multipart] A denial of service vulnerability exists in multipart header parsing where attackers can send requests with excessive headers or oversized header values, causing high CPU consumption before request rejection. 
CVE-2026-40347
 
MEDIUM
 [python-multipart] A denial of service vulnerability exists in multipart form-data parsing when handling requests with large preamble or epilogue sections. Attackers can craft malicious requests to cause excessive processing and resource consumption. 
CVE-2026-44432
 
HIGH
 [urllib3] Improper decompression handling allows attackers to trigger excessive resource consumption (CPU and memory) by forcing full decompression of highly compressed HTTP responses during partial reads or drain operations. 
CVE-2026-44431
 
MEDIUM
 [urllib3] is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0. 
AIKIDO-2026-11057
 
HIGH
 [soupsieve] A memory exhaustion vulnerability exists in the CSS selector parser that creates excessive CSSSelector objects from large comma-separated lists without limits, allowing attackers to trigger denial of service through crafted selector strings with ~488x memory amplification. 
AIKIDO-2026-11059
 
MEDIUM
 [soupsieve] Regular expression denial of service vulnerability in CSS selector parser due to exponential backtracking on unterminated quoted attribute selectors, allowing attackers to cause severe CPU consumption and parser hangs with minimal input. 
AIKIDO-2026-10912
 
HIGH
 [yarl] A URL parser vulnerability allows malformed authority and host strings that violate RFC 3986, enabling host confusion attacks where parsed fields resolve to different hosts than serialized strings, potentially bypassing validation or routing logic. 
AIKIDO-2026-11083
 
HIGH
 [mcp] Session IDs on authenticated MCP servers were not bound to credentials, allowing authenticated users to hijack other users' sessions via leaked session IDs. Additionally, task IDs lacked session scoping, enabling cross-session task manipulation and unauthorized access to other users' tasks. 
AIKIDO-2026-10472
 
MEDIUM
 [mcp] Command injection vulnerability in example code that executes shell commands with unsanitized user-controlled URLs, allowing attackers to inject arbitrary commands and achieve remote code execution. 
CVE-2026-44681
 
MEDIUM
 [authlib] Unauthenticated open redirect vulnerability in OpenID authorization endpoints allows remote attackers to redirect users to arbitrary URLs by omitting the openid scope from authorization requests. 
CVE-2026-41425
 
MEDIUM
 [authlib] is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. 
CVE-2026-41479
 
MEDIUM
 [authlib] OAuth 2.0 authorization endpoint can be exploited as an unauthenticated open redirect when an unsupported response_type is used with an attacker-controlled redirect_uri, enabling phishing and credential theft attacks. The vulnerability occurs before client validation and redirect URI verification, requiring no prior authentication or valid client registration. 
CVE-2026-25645
 
MEDIUM
 [requests] The extract_zipped_paths() utility function uses predictable filenames when extracting zip archives to the temp directory, allowing local attackers to pre-create malicious files that get loaded instead of legitimate ones, resulting in arbitrary code execution. 
CVE-2026-45409
 
LOW
 [idna] A denial-of-service vulnerability exists where specially crafted inputs with repeated Unicode characters cause excessive processing time in domain name validation. Enforcing a 253-character length limit before processing mitigates the issue. 
CVE-2026-4539
 
LOW
 [pygments] A regular expression denial of service (ReDoS) vulnerability exists in the AdlLexer function that can be exploited locally to cause inefficient processing and potential denial of service. The vulnerability requires local access to trigger the malicious input against the vulnerable regex pattern.
🤖 Remediation details

Fix critical and high-severity CVEs in cryptography, starlette, aiohttp, fastmcp, pypdf, python-multipart, urllib3, soupsieve, yarl, mcp, authlib, requests, idna, and pygments

Short summary

This PR remediates security vulnerabilities across 14 packages. Four direct dependency specs in the root pyproject.toml were widened to allow patched versions (aiohttp, fastmcp, pypdf, requests); the remaining ten packages (cryptography, starlette, mcp, python-multipart, urllib3, soupsieve, yarl, authlib, idna, pygments) were transitive dependencies whose parent specs already permitted the patched versions and required only a uv lock --upgrade-package refresh to move the resolved version in uv.lock.

aiohttp

aiohttp is a direct dependency declared in pyproject.toml. The lower bound was raised from >=3.11.18 to >=3.14.0,<4.0.0 to require the patched release series, and uv lock resolved it to 3.14.1. The previous range allowed 3.13.3, which carried multiple high- and medium-severity vulnerabilities including remote code execution and denial-of-service issues fixed in 3.13.4 and 3.14.0.

fastmcp

fastmcp is a direct dependency that was hard-pinned to ==3.2.0 in pyproject.toml. The pin was replaced with >=3.3.0,<4.0.0, resolving to 3.4.2 in uv.lock. The 3.2.0 pin prevented any upgrade and left the project exposed to multiple high-severity vulnerabilities patched in 3.2.4 and 3.3.0.

pypdf

pypdf is a direct dependency in pyproject.toml. The lower bound was raised from >=5.1.0 to >=6.12.0,<7.0.0, resolving to 6.13.1 in uv.lock. The prior floor permitted 6.9.1, which was affected by several medium-severity vulnerabilities patched across 6.9.2 through 6.12.0.

python-multipart

python-multipart is a transitive dependency pulled in by mcp. Its parent mcp already declared >=0.0.9 with no upper bound, so no manifest edit was needed; a uv lock --upgrade-package python-multipart refresh moved the resolved version from 0.0.22 to 0.0.32, satisfying the >=0.0.27 patched requirement.

urllib3

urllib3 is a transitive dependency of requests and several Azure/OpenTelemetry packages. All parent specs already permitted >=2.7.0, so a uv lock --upgrade-package urllib3 refresh was sufficient to move the resolved version from 2.6.3 to 2.7.0.

soupsieve

soupsieve is a transitive dependency of beautifulsoup4, which is itself pulled in by the direct dependency bs4. beautifulsoup4 declares >=1.6.1 with no upper bound, so a uv lock --upgrade-package soupsieve refresh moved the resolved version from 2.8.3 to 2.8.4.

yarl

yarl is a transitive dependency of aiohttp. The aiohttp direct-spec bump to >=3.14.0 (see above) also unlocked yarl; a uv lock --upgrade-package yarl refresh moved the resolved version from 1.23.0 to 1.24.2, satisfying the >=1.24.0 patched requirement.

mcp

mcp is a transitive dependency of both fastmcp and mcp-proxy. The fastmcp direct-spec bump to >=3.3.0 (see above) unlocked mcp; a uv lock --upgrade-package mcp refresh moved the resolved version from 1.26.0 to 1.27.2, the minimum patched version.

authlib

authlib is a transitive dependency of fastmcp. fastmcp declares >=1.6.5 with no upper bound, so a uv lock --upgrade-package authlib refresh moved the resolved version from 1.6.9 to 1.7.2, satisfying the >=1.6.12 patched requirement.

requests

requests is a direct dependency in pyproject.toml. The lower bound was raised from >=2.32.3 to >=2.33.0,<3.0.0, resolving to 2.34.2 in uv.lock. The prior floor permitted 2.32.5, which was affected by a medium-severity vulnerability patched in 2.33.0.

cryptography

cryptography is a transitive dependency of several packages including azure-identity, msal, pyjwt, authlib, and secretstorage. All parent specs already permitted >=46.0.7, so a uv lock --upgrade-package cryptography refresh moved the resolved version from 46.0.5 to 48.0.1.

starlette

starlette is a transitive dependency of fastapi, mcp, and sse-starlette. All parent specs already permitted >=1.0.1, so a uv lock --upgrade-package starlette refresh moved the resolved version from 0.52.1 to 1.2.1.

idna

idna is a transitive dependency of yarl, requests, anyio, httpx, and email-validator. All parent specs already permitted >=3.15, so a uv lock --upgrade-package idna refresh moved the resolved version from 3.11 to 3.18.

pygments

pygments is a transitive dependency of rich, which is pulled in by fastmcp and cyclopts. rich declares >=2.13.0,<3.0.0, which already permits 2.20.0, so a uv lock --upgrade-package pygments refresh moved the resolved version from 2.19.2 to 2.20.0.

Version changes

Package From To Why updated
aiohttp >=3.11.183.13.3 resolved >=3.14.0,<4.0.03.14.1 resolved Direct CVE fix; spec widened in pyproject.toml
fastmcp ==3.2.0 >=3.3.0,<4.0.03.4.2 resolved Direct CVE fix; exact pin replaced in pyproject.toml
pypdf >=5.1.06.9.1 resolved >=6.12.0,<7.0.06.13.1 resolved Direct CVE fix; spec widened in pyproject.toml
requests >=2.32.32.32.5 resolved >=2.33.0,<3.0.02.34.2 resolved Direct CVE fix; spec widened in pyproject.toml
cryptography 46.0.5 48.0.1 Lockfile refresh; all parents already allowed target
starlette 0.52.1 1.2.1 Lockfile refresh; all parents already allowed target
mcp 1.26.0 1.27.2 Lockfile refresh; unlocked by fastmcp bump
python-multipart 0.0.22 0.0.32 Lockfile refresh; parent mcp already allowed target
urllib3 2.6.3 2.7.0 Lockfile refresh; all parents already allowed target
soupsieve 2.8.3 2.8.4 Lockfile refresh; parent beautifulsoup4 already allowed target
yarl 1.23.0 1.24.2 Lockfile refresh; unlocked by aiohttp bump
authlib 1.6.9 1.7.2 Lockfile refresh; unlocked by fastmcp bump
idna 3.11 3.18 Lockfile refresh; all parents already allowed target
pygments 2.19.2 2.20.0 Lockfile refresh; parent rich already allowed target
fastmcp-slim (not present) 3.4.2 New package added as part of fastmcp>=3.3.0 split
griffelib (not present) 2.0.2 New transitive dependency introduced by fastmcp 3.4.2
joserfc (not present) 1.7.1 New transitive dependency introduced by authlib 1.7.2

@aikido-autofix aikido-autofix Bot mentioned this pull request Jun 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants