[Aikido] Fix 27 security issues in litellm, gitpython, aiohttp

[aikido-autofix]

Upgrade litellm, gitpython, aiohttp to fix critical RCE, arbitrary code execution, authentication bypass, and header injection vulnerabilities.

✅ 27 CVEs resolved by this upgrade, including 5 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-22807	🚨 CRITICAL	[vllm] Unsafe loading of Hugging Face auto_map dynamic modules during model resolution without trust_remote_code validation allows arbitrary code execution at server startup if an attacker can control the model repo/path.
CVE-2026-22778	🚨 CRITICAL	[vllm] Invalid image handling leaks heap addresses, breaking ASLR protections and enabling remote code execution when chained with heap overflow vulnerabilities in image decoders.
CVE-2026-24779	HIGH	[vllm] A Server-Side Request Forgery (SSRF) vulnerability in the MediaConnector class allows attackers to bypass host restrictions using differing backslash interpretations between parsing libraries, enabling arbitrary requests to internal network resources and potential denial of service or data access.
CVE-2026-42284	🚨 CRITICAL	[gitpython] A command injection vulnerability in the clone function allows attackers to bypass validation and inject arbitrary Git configuration options, enabling remote code execution through malicious repository hooks during clone operations.
CVE-2026-42215	HIGH	[gitpython] A vulnerability allows attackers to bypass Git option restrictions through Python kwargs in clone, fetch, pull, and push operations, enabling arbitrary command execution when attacker-controlled arguments are passed to these methods.
CVE-2026-35030	🚨 CRITICAL	[litellm] JWT authentication cache uses only the first 20 characters of tokens as keys, allowing attackers to craft tokens matching legitimate users' cached tokens and assume their identity and permissions. This affects deployments with JWT/OIDC authentication enabled.
CVE-2026-35029	HIGH	[litellm] Unauthenticated /config/update endpoint allows authenticated users to modify proxy configuration, register malicious handlers, and execute arbitrary code, read files, or hijack admin accounts through environment variable manipulation.
GHSA-69x8-hrgq-fjj8	HIGH	[litellm] Weak unsalted SHA-256 password hashing combined with hash exposure in API responses and pass-the-hash login acceptance enables authentication bypass, allowing authenticated users to steal other users' password hashes and escalate privileges.
AIKIDO-2026-10161	MEDIUM	[litellm] Expired API keys are exposed in plaintext error responses, allowing attackers to capture and potentially reuse them if reactivated, violating secret-handling compliance requirements and enabling audit evasion or social engineering attacks.
CVE-2026-34520	🚨 CRITICAL	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
CVE-2025-69223	HIGH	[aiohttp] A zip bomb vulnerability allows attackers to send compressed requests that exhaust server memory when decompressed, causing denial of service. An attacker can trigger excessive memory consumption on the AIOHTTP server through specially crafted compressed payloads.
CVE-2025-69227	HIGH	[aiohttp] A bypass of assert statements when Python optimizations are enabled allows attackers to trigger an infinite loop during POST body processing, causing a denial of service. The vulnerability affects applications using the Request.post() method with optimization flags enabled.
CVE-2025-69228	HIGH	[aiohttp] A vulnerability allows attackers to craft requests that cause uncontrolled memory consumption in servers using the Request.post() method, leading to denial of service through memory exhaustion. An attacker can freeze the server by triggering this memory filling behavior during request processing.
CVE-2026-34515	HIGH	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
CVE-2026-34516	HIGH	[aiohttp] A response with an excessive number of multipart headers can consume more memory than intended, leading to a denial of service (DoS) vulnerability through resource exhaustion.
CVE-2026-34513	HIGH	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
CVE-2026-22815	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
CVE-2025-69224	MEDIUM	[aiohttp] The Python HTTP parser allows request smuggling attacks when non-ASCII characters are present in pure Python mode, enabling attackers to bypass firewall and proxy protections. This vulnerability could lead to unauthorized request routing and security control evasion.
CVE-2025-69229	MEDIUM	[aiohttp] Chunked message handling causes excessive blocking CPU usage when processing large numbers of chunks, allowing attackers to trigger denial of service by consuming server resources and preventing other requests from being handled.
CVE-2025-69225	MEDIUM	[aiohttp] The HTTP Range header parser accepts non-ASCII decimal characters, potentially enabling request smuggling attacks. While no known exploits exist, this parsing flaw could allow attackers to bypass security controls or manipulate request interpretation.
CVE-2025-69226	MEDIUM	[aiohttp] Path normalization logic in static file handling allows attackers to enumerate absolute path components on the server through information disclosure. This vulnerability affects applications using web.static() and could enable attackers to map the filesystem structure.
CVE-2025-69230	MEDIUM	[aiohttp] A logging storm vulnerability exists where reading multiple invalid cookies can trigger excessive warning-level logs, potentially causing a denial of service through log flooding when an attacker sends a specially crafted Cookie header.
CVE-2026-34525	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
CVE-2026-34514	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34517	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
CVE-2026-34518	MEDIUM	[aiohttp] When following redirects to a different origin, the framework fails to drop the Cookie and Proxy-Authorization headers alongside the Authorization header, potentially leaking sensitive authentication credentials to untrusted domains.
CVE-2026-34519	MEDIUM	[aiohttp] is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

[aikido-pr-checks]

CVE-2026-42208 in litellm - critical severity
LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

Details

Remediation Aikido suggests bumping this package to version 1.83.7 to resolve this issue

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info