Skip to content

CRO-10765: Upgrade aiohttp to 3.13.3 to fix security vulnerabilities #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TuringND wants to merge 2 commits into
base: main
Choose a base branch
from
Open

CRO-10765: Upgrade aiohttp to 3.13.3 to fix security vulnerabilities #47

TuringND wants to merge 2 commits into from

Conversation

@TuringND
Copy link
Collaborator

@TuringND TuringND commented Feb 2, 2026

  • Updated aiohttp from 3.12.15 to >=3.13.3 (addresses 8 high-severity vulnerabilities)
  • Updated litellm to >=1.81.6 to support newer openai versions
  • Updated openai to >=2.8.0,<3.0.0 for compatibility with litellm and browser-use
  • Updated openhands-tools to 1.10.0 for latest features
  • Added explicit browser-use >=0.11.7 constraint for aiohttp compatibility
  • All dependency conflicts resolved successfully

Security vulnerabilities fixed:

  • CVE-2024-52304 and related aiohttp vulnerabilities (score 7.5)
  • Affects aiohttp versions <= 3.13.2

Co-authored-by: Daniel Foguelman <>

Summary of PR

Change Type

  • Bug fix
  • New feature
  • Breaking change
  • Refactor
  • Other (dependency update, docs, typo fixes, etc.)

Checklist

  • I have read and reviewed the code and I understand what the code is doing.
  • I have tested the code to the best of my ability and ensured it works as expected.

Fixes

Resolves #(issue)

Release Notes

  • Include this change in the Release Notes.

openhands-agent and others added 2 commits February 2, 2026 12:36
@openhands-agent
CRO-10765: Upgrade aiohttp to 3.13.3 to fix security vulnerabilities
6a2d90a 
- Updated aiohttp from 3.12.15 to >=3.13.3 (addresses 8 high-severity vulnerabilities)
- Updated litellm to >=1.81.6 to support newer openai versions
- Updated openai to >=2.8.0,<3.0.0 for compatibility with litellm and browser-use
- Updated openhands-tools to 1.10.0 for latest features
- Added explicit browser-use >=0.11.7 constraint for aiohttp compatibility
- All dependency conflicts resolved successfully

Security vulnerabilities fixed:
- CVE-2024-52304 and related aiohttp vulnerabilities (score 7.5)
- Affects aiohttp versions <= 3.13.2

Co-authored-by: Daniel Foguelman <>
@TuringND
Removing CR
4e07171
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TuringND @openhands-agent