Update aiohttp dependency to fix 9 security vulnerabilities (CVEs) #1913
Description
Problem
inference-sdk (latest version 0.63.5) pins aiohttp to <=3.10.11, which has 9 known CVEs:
| CVE | Severity | Description |
|---|---|---|
| CVE-2025-53643 | High | Request smuggling vulnerability |
| CVE-2025-69223 | High | Zip bomb DoS |
| CVE-2025-69224 | Medium | Request smuggling with non-ASCII |
| CVE-2025-69228 | High | Memory exhaustion |
| CVE-2025-69229 | Medium | Chunked message DoS |
| CVE-2025-69230 | Medium | Logging storm |
| CVE-2025-69226 | High | Path traversal |
| CVE-2025-69227 | Medium | Infinite loop DoS |
| CVE-2025-69225 | Low | Non-ASCII decimals in Range header |
Current constraint
aiohttp<=3.10.11,>=3.9.0
Request
Please update the aiohttp dependency to >=3.13.3 (or remove the upper bound) to allow users to fix these security vulnerabilities.
Impact
Projects using inference-sdk cannot update aiohttp to patched versions, leaving them exposed to these CVEs.
References
Thank you!