Skip to content

fix: upgrade aiohttp to 3.13.4 to patch memory exhaustion vulnerability#4596

Merged
sauravpanda merged 2 commits into
mainfrom
worktree-fix+aiohttp-security-upgrade
Apr 2, 2026
Merged

fix: upgrade aiohttp to 3.13.4 to patch memory exhaustion vulnerability#4596
sauravpanda merged 2 commits into
mainfrom
worktree-fix+aiohttp-security-upgrade

Conversation

@sauravpanda
Copy link
Copy Markdown
Collaborator

@sauravpanda sauravpanda commented Apr 2, 2026
edited by cubic-dev-ai Bot
Loading

Summary

  • Bumps aiohttp from 3.13.3 to 3.13.4 in browser_use/skill_cli/requirements-cli.txt
  • Fixes a security vulnerability where insufficient restrictions on trailer header handling could allow uncapped memory usage, potentially causing memory exhaustion from attacker-controlled requests/responses

Upstream patch: aio-libs/aiohttp@0c2e9da

Closes #26

Test plan

  • No functional code changes — version pin bump only
  • Verify install_lite.sh installs the patched version

Summary by cubic

Upgrade aiohttp to 3.13.4 in the CLI to patch a memory exhaustion vulnerability in trailer header handling. Ensures the lite installer pulls the fixed version.

  • Dependencies
    • Bump aiohttp from 3.13.3 to 3.13.4 in browser_use/skill_cli/requirements-cli.txt to prevent uncapped trailer header processing that could lead to memory exhaustion.

Written for commit 14ada65. Summary will update on new commits.

@sauravpanda
fix: upgrade aiohttp to 3.13.4 to patch memory exhaustion vulnerability
22f0e50 
Bumps aiohttp from 3.13.3 to 3.13.4 in requirements-cli.txt.
Fixes uncapped memory usage from insufficient trailer header restrictions
(aio-libs/aiohttp@0c2e9da).
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 2, 2026
edited
Loading

Agent Task Evaluation Results: 2/2 (100%)

View detailed results
Task Result Reason
amazon_laptop ✅ Pass Skipped - API key not available (fork PR or missing secret)
browser_use_pip ✅ Pass Skipped - API key not available (fork PR or missing secret)

Check the evaluate-tasks job for detailed task execution logs.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@sauravpanda sauravpanda merged commit 8e98dd4 into main Apr 2, 2026
85 checks passed
@sauravpanda sauravpanda deleted the worktree-fix+aiohttp-security-upgrade branch April 2, 2026 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sauravpanda