Skip to content

Patch aiohttp for CVE-2025-69223#33621

Merged
khluu merged 1 commit intovllm-project:releases/v0.15.1from
zaristei2:zaristei/CVE-2025-69223
Feb 3, 2026
Merged

Patch aiohttp for CVE-2025-69223#33621
khluu merged 1 commit intovllm-project:releases/v0.15.1from
zaristei2:zaristei/CVE-2025-69223

Conversation

@zaristei2
Copy link
Copy Markdown
Contributor

@zaristei2 zaristei2 commented Feb 3, 2026
edited by github-actions bot
Loading

Purpose

upgrade aiohttp to bypass CVE-2025-69223 for the 0.15.1 release.

Test Plan

Test Result

@zaristei
patch aiohttp for CVE-2025-69223
6f493d4 
Signed-off-by: Zachary Aristei <zaristei@nvidia.com>
@zaristei2 zaristei2 requested a review from tjtanaa as a code owner February 3, 2026 00:53
@mergify mergify bot added ci/build rocm Related to AMD ROCm labels Feb 3, 2026
@github-project-automation github-project-automation bot moved this to Todo in AMD Feb 3, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly upgrades aiohttp to patch a security vulnerability. The CVE mentioned in the title and description appears to be incorrect; the upgrade to aiohttp version 3.13.3 addresses CVE-2024-23829, which is a request smuggling vulnerability. The changes in requirements/rocm-test.txt and requirements/test.txt are appropriate. I've added one suggestion for requirements/common.txt to improve dependency reproducibility.

requirements/common.txt
protobuf # Required by LlamaTokenizer, gRPC.
fastapi[standard] >= 0.115.0 # Required by FastAPI's form models in the OpenAI API server's audio transcriptions endpoint.
aiohttp
aiohttp >= 3.13.3
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

For better reproducibility and to prevent potential breakages with future aiohttp releases, it's recommended to pin the version to ==3.13.3. This would also make it consistent with rocm-test.txt and test.txt where the version is pinned. While using >= allows for automatic bug fixes from upstream, it can also introduce unexpected issues if a new version has breaking changes.

aiohttp == 3.13.3

@DarkLight1337 DarkLight1337 added the ready ONLY add when PR is ready to merge/full CI is needed label Feb 3, 2026
@DarkLight1337
Copy link
Copy Markdown
Member

DarkLight1337 commented Feb 3, 2026

cc @russellb

@DarkLight1337 DarkLight1337 added this to the v0.15.1 Hotfix milestone Feb 3, 2026
@khluu khluu merged commit 099a787 into vllm-project:releases/v0.15.1 Feb 3, 2026
97 of 99 checks passed
@github-project-automation github-project-automation bot moved this from Todo to Done in AMD Feb 3, 2026
DarkLight1337 pushed a commit to DarkLight1337/vllm that referenced this pull request Feb 4, 2026
@zaristei2 @zaristei @DarkLight1337
Patch aiohttp for CVE-2025-69223 (vllm-project#33621)
a4fb019 
Signed-off-by: Zachary Aristei <zaristei@nvidia.com>
Co-authored-by: Zachary Aristei <zaristei@nvidia.com>
@DarkLight1337 DarkLight1337 mentioned this pull request Feb 4, 2026
Merged
5 tasks
vllm-bot pushed a commit that referenced this pull request Feb 4, 2026
@DarkLight1337 @zaristei2 @zaristei
Apply #33621 to main (#33758)
32a02c7 
Signed-off-by: Zachary Aristei <zaristei@nvidia.com>
Co-authored-by: zaristei2 <zaristei2@gmail.com>
Co-authored-by: Zachary Aristei <zaristei@nvidia.com>
gameofdimension pushed a commit to gameofdimension/vllm that referenced this pull request Feb 5, 2026
@DarkLight1337 @zaristei2 @zaristei
Apply vllm-project#33621 to main (vllm-project#33758)
1a4f2e4 
Signed-off-by: Zachary Aristei <zaristei@nvidia.com>
Co-authored-by: zaristei2 <zaristei2@gmail.com>
Co-authored-by: Zachary Aristei <zaristei@nvidia.com>
Signed-off-by: felix01.yu <felix01.yu@vipshop.com>
amd-hhashemi added a commit to amd-hhashemi/vllm that referenced this pull request Feb 9, 2026
@amd-hhashemi
Revert "Apply vllm-project#33621 to main (vllm-project#33758)"
c77d846 
This reverts commit 32a02c7.
amd-hhashemi added a commit to amd-hhashemi/vllm that referenced this pull request Feb 9, 2026
@amd-hhashemi
Revert "Apply vllm-project#33621 to main (vllm-project#33758)"
8b2f5c3 
This reverts commit 32a02c7.

Signed-off-by: Hashem Hashemi <hashem.hashemi@amd.com>
ItzDEXX pushed a commit to ItzDEXX/vllm that referenced this pull request Feb 19, 2026
@DarkLight1337 @zaristei2
@zaristei @ItzDEXX
Apply vllm-project#33621 to main (vllm-project#33758)
04757c8 
Signed-off-by: Zachary Aristei <zaristei@nvidia.com>
Co-authored-by: zaristei2 <zaristei2@gmail.com>
Co-authored-by: Zachary Aristei <zaristei@nvidia.com>
tunglinwood pushed a commit to tunglinwood/vllm that referenced this pull request Mar 4, 2026
@DarkLight1337 @zaristei2
@zaristei @tunglinwood
Apply vllm-project#33621 to main (vllm-project#33758)
33dba8c 
Signed-off-by: Zachary Aristei <zaristei@nvidia.com>
Co-authored-by: zaristei2 <zaristei2@gmail.com>
Co-authored-by: Zachary Aristei <zaristei@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DarkLight1337 DarkLight1337 DarkLight1337 approved these changes

@tjtanaa tjtanaa Awaiting requested review from tjtanaa tjtanaa is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ci/build ready ONLY add when PR is ready to merge/full CI is needed rocm Related to AMD ROCm

Projects

AMD
Status: Done

Milestone

v0.15.1 Hotfix

Development

Successfully merging this pull request may close these issues.

4 participants

@zaristei2 @DarkLight1337 @khluu @zaristei