Skip to content

fix(python-fastapi): bump aiohttp for CVE-2026-34525 (GHSA-c427-h43c-vf67)#94

Merged
cbullinger merged 1 commit intomainfrom
security/fix-aiohttp-cve-2026-34525-main
Apr 2, 2026
Merged

fix(python-fastapi): bump aiohttp for CVE-2026-34525 (GHSA-c427-h43c-vf67)#94
cbullinger merged 1 commit intomainfrom
security/fix-aiohttp-cve-2026-34525-main

Conversation

@cbullinger
Copy link
Copy Markdown
Collaborator

@cbullinger cbullinger commented Apr 2, 2026
edited
Loading

Summary

Same change as the development PR: bumps aiohttp in mflix/server/python-fastapi to address CVE-2026-34525 / GHSA-c427-h43c-vf67.

Changes

  • requirements.in: aiohttp>=3.13.3aiohttp>=3.13.4
  • requirements.txt: regenerated with pip-compile (aiohttp==3.13.5)

Security

CVE Advisory Severity
CVE-2026-34525 GHSA-c427-h43c-vf67 Medium

Dependabot

Closes #31, #32, #33, #34, #35, #36, #37, #38, #39, #40

Test plan

  • pip-compile completed successfully
  • CI / tests for python-fastapi pass

Made with Cursor

@cbullinger
fix(python-fastapi): bump aiohttp to >=3.13.4 for CVE-2026-34525
6efa820 
Raises the transitive aiohttp floor to the patched series so duplicate Host
headers are rejected (GHSA-c427-h43c-vf67).

Regenerated requirements.txt with pip-compile.

Resolves Dependabot alerts #31-40.

Made-with: Cursor
@cbullinger cbullinger merged commit 0118793 into main Apr 2, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krollins-mdb krollins-mdb krollins-mdb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

How do I responsibly disclose security issues?

2 participants

@cbullinger @krollins-mdb