[Aikido] Fix 72 security issues in litellm, aiohttp, fickling and 8 more

[aikido-autofix]

Upgrade dependencies to fix critical RCE vulnerabilities in litellm (JWT cache bypass), aiohttp (null byte injection), pillow (heap leak/ASLR bypass), and protobuf, plus DoS and authentication bypass issues.

✅ 72 CVEs resolved by this upgrade, including 4 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-22807	🚨 CRITICAL	[vllm] Unsafe loading of Hugging Face auto_map dynamic modules during model resolution without trust_remote_code validation allows arbitrary code execution at server startup if an attacker can control the model repo/path.
CVE-2026-22778	🚨 CRITICAL	[vllm] Invalid image handling leaks heap addresses, breaking ASLR protections and enabling remote code execution when chained with heap overflow vulnerabilities in image decoders.
CVE-2026-27893	HIGH	[vllm] Model implementation files hardcode trust_remote_code=True, bypassing user's security settings and enabling remote code execution (RCE) via malicious model repositories even when explicitly disabled.
CVE-2026-24779	HIGH	[vllm] A Server-Side Request Forgery (SSRF) vulnerability in the MediaConnector class allows attackers to bypass host restrictions using differing backslash interpretations between parsing libraries, enabling arbitrary requests to internal network resources and potential denial of service or data access.
CVE-2026-34756	MEDIUM	[vllm] Unauthenticated attackers can send requests with extremely large n parameter values to trigger Denial of Service by blocking the asyncio event loop and causing Out-Of-Memory crashes due to lack of upper bound validation.
CVE-2026-34755	MEDIUM	[vllm] A missing frame count limit in the VideoMediaIO.load_base64() method allows attackers to bypass the num_frames parameter by sending thousands of comma-separated base64-encoded JPEG frames in a single API request, causing out-of-memory denial of service.
CVE-2026-35030	🚨 CRITICAL	[litellm] JWT authentication cache uses only the first 20 characters of tokens as keys, allowing attackers to craft tokens matching legitimate users' cached tokens and assume their identity and permissions. This affects deployments with JWT/OIDC authentication enabled.
CVE-2026-35029	HIGH	[litellm] Unauthenticated /config/update endpoint allows authenticated users to modify proxy configuration, register malicious handlers, and execute arbitrary code, read files, or hijack admin accounts through environment variable manipulation.
GHSA-69x8-hrgq-fjj8	HIGH	[litellm] Weak unsalted SHA-256 password hashing combined with hash exposure in API responses and pass-the-hash login acceptance enables authentication bypass, allowing authenticated users to steal other users' password hashes and escalate privileges.
GHSA-xqmj-j6mv-4862	HIGH	[litellm] The POST /prompts/test endpoint renders unsandboxed user-supplied prompt templates, allowing authenticated users to execute arbitrary code within the proxy process and potentially access environment secrets or execute host commands.
AIKIDO-2026-10161	MEDIUM	[litellm] Expired API keys are exposed in plaintext error responses, allowing attackers to capture and potentially reuse them if reactivated, violating secret-handling compliance requirements and enabling audit evasion or social engineering attacks.
CVE-2026-34520	🚨 CRITICAL	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
CVE-2025-69223	HIGH	[aiohttp] A zip bomb vulnerability allows attackers to send compressed requests that exhaust server memory when decompressed, causing denial of service. An attacker can trigger excessive memory consumption on the AIOHTTP server through specially crafted compressed payloads.
CVE-2025-69227	HIGH	[aiohttp] A bypass of assert statements when Python optimizations are enabled allows attackers to trigger an infinite loop during POST body processing, causing a denial of service. The vulnerability affects applications using the Request.post() method with optimization flags enabled.
CVE-2025-69228	HIGH	[aiohttp] A vulnerability allows attackers to craft requests that cause uncontrolled memory consumption in servers using the Request.post() method, leading to denial of service through memory exhaustion. An attacker can freeze the server by triggering this memory filling behavior during request processing.
CVE-2026-34515	HIGH	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
CVE-2026-34516	HIGH	[aiohttp] A response with an excessive number of multipart headers can consume more memory than intended, leading to a denial of service (DoS) vulnerability through resource exhaustion.
CVE-2026-34513	HIGH	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
CVE-2026-22815	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
CVE-2025-69224	MEDIUM	[aiohttp] The Python HTTP parser allows request smuggling attacks when non-ASCII characters are present in pure Python mode, enabling attackers to bypass firewall and proxy protections. This vulnerability could lead to unauthorized request routing and security control evasion.
CVE-2025-69229	MEDIUM	[aiohttp] Chunked message handling causes excessive blocking CPU usage when processing large numbers of chunks, allowing attackers to trigger denial of service by consuming server resources and preventing other requests from being handled.
CVE-2025-69225	MEDIUM	[aiohttp] The HTTP Range header parser accepts non-ASCII decimal characters, potentially enabling request smuggling attacks. While no known exploits exist, this parsing flaw could allow attackers to bypass security controls or manipulate request interpretation.
CVE-2025-69226	MEDIUM	[aiohttp] Path normalization logic in static file handling allows attackers to enumerate absolute path components on the server through information disclosure. This vulnerability affects applications using web.static() and could enable attackers to map the filesystem structure.
CVE-2025-69230	MEDIUM	[aiohttp] A logging storm vulnerability exists where reading multiple invalid cookies can trigger excessive warning-level logs, potentially causing a denial of service through log flooding when an attacker sends a specially crafted Cookie header.
CVE-2026-34525	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
CVE-2026-34514	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34517	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
CVE-2026-34518	MEDIUM	[aiohttp] When following redirects to a different origin, the framework fails to drop the Cookie and Proxy-Authorization headers alongside the Authorization header, potentially leaking sensitive authentication credentials to untrusted domains.
CVE-2026-34519	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
GHSA-5hwf-rc88-82xm	HIGH	[fickling] Fickling's unsafe imports blocklist is missing three stdlib modules (uuid, _osx_support, _aix_support) that enable arbitrary command execution through subprocess/os.system calls, allowing malicious pickles to bypass safety checks and achieve RCE.
GHSA-wccx-j62j-r448	HIGH	[fickling] Incomplete pickle entry point hooking allows malicious pickle payloads to execute via pickle.loads, _pickle.loads, and _pickle.load despite global safety mode being enabled, bypassing runtime protection. This enables remote code execution for applications relying on always_check_safety() as a security guard.
GHSA-mxhj-88fx-4pcv	HIGH	[fickling] A vulnerability in the OBJ, NEWOBJ, and NEWOBJ_EX opcodes allows dangerous function calls to bypass all safety checks by remaining invisible to the AST analysis when their results are discarded, enabling remote code execution through malicious pickle files.
CVE-2026-22606	HIGH	[fickling] Fickling misclassifies malicious pickles using runpy module as SUSPICIOUS instead of OVERTLY_MALICIOUS, allowing attackers to bypass safety checks and achieve remote code execution if users rely on Fickling's classification to decide whether to deserialize pickles.
CVE-2026-22607	HIGH	[fickling] A static analyzer fails to classify malicious pickles using cProfile.run() as dangerous, instead marking them as merely suspicious, potentially leading users to deserialize attacker-controlled code. This misclassification bypasses security gates relying on the tool's threat assessment.
CVE-2026-22608	HIGH	[fickling] A vulnerability allows remote code execution (RCE) by chaining ctypes and pydoc modules together, bypassing safety checks and falsely reporting malicious pickle files as safe.
CVE-2026-22609	HIGH	[fickling] The unsafe_imports() method fails to detect several high-risk Python modules used for arbitrary code execution, allowing malicious pickles to bypass static safety checks. This enables attackers to execute arbitrary code undetected.
CVE-2026-22612	HIGH	[fickling] is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7.
GHSA-5cxw-w2xg-2m8h	MEDIUM	[fickling] A crafted pickle using platform module functions bypasses safety checks and executes subprocess commands with attacker-controlled arguments or reads arbitrary files during deserialization, enabling file probing and information disclosure.
GHSA-r48f-3986-4f9c	MEDIUM	[fickling] Two bugs in fickling's AST analysis allow malicious pickle files to bypass safety checks and execute arbitrary stdlib code, enabling arbitrary file read and information disclosure when using fickling.load() as a security gate. The vulnerabilities stem from incomplete variable tracking in unused assignment analysis and improper AST node construction that hides variable references from static analysis.
GHSA-mhc9-48gj-9gp3	MEDIUM	[fickling] Fickling's safety checks can be bypassed by appending a BUILD opcode to pickle payloads, allowing dangerous stdlib functions (network servers, signal handlers, file operations, exfiltration) to execute undetected due to over-inclusive import allowlisting and improper call filtering. This enables remote code execution and persistent backdoors in ML model files.
GHSA-83pf-v6qq-pwmr	LOW	[fickling] Fickling's safety checker incorrectly rates pickle files as safe when they open outbound TCP connections using stdlib network modules (SMTP, IMAP, FTP, POP3, Telnet, NNTP) due to incomplete blocklists and a logic flaw in unused variable detection that allows attackers to bypass warnings and establish covert channels or probe internal services.
CVE-2025-67221	HIGH	[orjson] The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
CVE-2026-34070	HIGH	[langchain-core] Prompt loading functions fail to validate file paths in deserialized configs, allowing arbitrary file read attacks through directory traversal or absolute path injection. An attacker can read sensitive files on the host filesystem when user-influenced prompt configurations are loaded.
CVE-2026-40087	MEDIUM	[langchain-core] Incomplete f-string validation in prompt templates allows arbitrary attribute access and nested replacement fields, enabling remote code execution through malicious template injection. The vulnerability affects multiple template classes that format user-controlled expressions without proper sanitization.
CVE-2026-26013	LOW	[langchain-core] The ChatOpenAI.get_num_tokens_from_messages() method fetches unvalidated image URLs when computing token counts for vision models, enabling Server-Side Request Forgery (SSRF) attacks through malicious image URLs in user input.
CVE-2026-26209	HIGH	[cbor2] A Denial of Service vulnerability exists due to uncontrolled recursion when decoding deeply nested CBOR structures, allowing attackers to crash worker processes by supplying crafted payloads with excessive nesting levels. An attacker can exploit this by sending small malicious packets to repeatedly trigger RecursionError and terminate application workers.
CVE-2026-25990	HIGH	[pillow] is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
CVE-2026-40192	HIGH	[pillow] A decompression bomb vulnerability in FITS image decoding allows unbounded GZIP decompression, enabling attackers to cause denial of service through excessive memory consumption via specially crafted FITS files.
CVE-2026-0994	HIGH	[protobuf] ParseDict() fails to properly track recursion depth when handling nested Any messages, allowing attackers to bypass the max_recursion_depth limit and trigger a RecursionError, causing denial of service.
CVE-2026-32597	HIGH	[pyjwt] PyJWT fails to validate the crit (Critical) Header Parameter in JWS tokens, accepting tokens with unknown extensions instead of rejecting them as required by RFC 7515, potentially allowing attackers to bypass security controls.
CVE-2026-24486	HIGH	[python-multipart] Path traversal vulnerability allows attackers to write uploaded files to arbitrary filesystem locations when using non-default UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True configuration options through crafted filenames.
CVE-2026-40347	MEDIUM	[python-multipart] A denial of service vulnerability exists in multipart form-data parsing when handling requests with large preamble or epilogue sections. Attackers can craft malicious requests to cause excessive processing and resource consumption.
CVE-2026-32874	HIGH	[ujson] A memory leak vulnerability in JSON parsing allows attackers to cause denial of service by sending malicious JSON with large integers outside the valid range, leaking memory with each parsed integer regardless of parsing success.
CVE-2026-32875	HIGH	[ujson] A buffer overflow or infinite loop vulnerability exists in the JSON encoder when the indent parameter multiplied by nesting depth exceeds INT32_MAX or uses large negative values, causing interpreter crashes or denial of service through integer overflow/underflow in memory allocation calculations.
CVE-2025-66418	HIGH	[urllib3] An unbounded decompression chain vulnerability allows malicious servers to insert unlimited compression steps, causing excessive CPU usage and memory allocation. This leads to denial of service through resource exhaustion.
CVE-2025-66471	HIGH	[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441	HIGH	[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2025-50181	MEDIUM	[urllib3] A vulnerability allows disabling redirects for all requests through improper PoolManager instantiation with retries configuration, potentially bypassing SSRF and open redirect mitigations. Applications relying on disabled redirects to prevent these vulnerabilities remain exposed to attacks.
CVE-2025-50182	MEDIUM	[urllib3] A vulnerability allows uncontrolled HTTP redirects in browser and Node.js environments when using Pyodide, as redirect control parameters are ignored by the runtime. This could enable open redirect attacks or redirect-based security bypasses.
CVE-2026-25048	HIGH	[xgrammar] is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
CVE-2024-12797	HIGH	[cryptography] RFC7250 Raw Public Key (RPK) authentication fails to abort TLS/DTLS handshakes when server verification fails with SSL_VERIFY_PEER mode enabled, allowing potential man-in-the-middle attacks when clients don't detect authentication failures.
CVE-2026-26007	MEDIUM	[cryptography] Missing validation of elliptic curve public key points allows attackers to use small-order subgroup points, enabling private key information leakage via ECDH and signature forgery via ECDSA on affected curves.
CVE-2026-34073	MEDIUM	[cryptography] DNS name constraint validation was incomplete, only checking Subject Alternative Names in child certificates but not the peer name during validation, allowing constrained domains to bypass restrictions through wildcard certificates.
CVE-2026-28684	MEDIUM	[python-dotenv] A local attacker can overwrite arbitrary files by exploiting symlink following in set_key() and unset_key() functions during .env file rewriting. This vulnerability allows arbitrary file write/modification through a crafted symlink when a cross-device rename fallback is triggered.
CVE-2026-27482	MEDIUM	[ray] Unauthenticated DELETE endpoints in the dashboard HTTP server allow remote attackers to shut down Serve or delete jobs via DNS rebinding or same-network access, causing denial of service without user interaction.
CVE-2026-25528	MEDIUM	[langsmith] Distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers, allowing attackers to inject arbitrary api_url values through the baggage header and exfiltrate sensitive trace data to attacker-controlled endpoints.
GHSA-rr7j-v2q5-chgv	MEDIUM	[langsmith] Output redaction controls fail to apply to streaming token events, allowing sensitive LLM output to leak via run events despite redaction being enabled. This causes information disclosure of data that should have been redacted in LangSmith storage.
CVE-2026-24049	MEDIUM	[wheel] The unpack function improperly handles file permissions after extraction, allowing attackers to craft malicious wheel files that modify permissions of critical system files for privilege escalation or arbitrary code execution.
CVE-2026-25645	MEDIUM	[requests] The extract_zipped_paths() utility function uses predictable filenames when extracting zip archives to the temp directory, allowing local attackers to pre-create malicious files that get loaded instead of legitimate ones, resulting in arbitrary code execution.
CVE-2026-22701	MEDIUM	[filelock] A TOCTOU race condition in SoftFileLock allows local attackers to create symlinks between permission validation and file creation, causing lock operations to fail or operate on unintended targets. This can lead to denial of service or unexpected lock behavior.
CVE-2026-4539	LOW	[pygments] A regular expression denial of service (ReDoS) vulnerability exists in the AdlLexer function that can be exploited locally to cause inefficient processing and potential denial of service. The vulnerability requires local access to trigger the malicious input against the vulnerable regex pattern.
GHSA-r7w7-9xr2-qq2r	LOW	[langchain-openai] A TOCTOU/DNS rebinding vulnerability in the _url_to_size() helper allowed attackers to bypass SSRF validation by resolving to a public IP during validation and a private IP during fetch, enabling blind probing of internal services. The response body is not exposed to callers, limiting practical impact to timing-based inference attacks.

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #70