Backport aiohttp 3.13.x support to 3.49 branch for multiple CVE fixes #7238
Description
Summary
The pulpcore 3.49 branch currently pins aiohttp to >=3.8.1,<3.9.6 (as of 3.49.12) or <3.10.12,>=3.9.0 (as of 3.49.49), which leaves it vulnerable to multiple aiohttp CVEs that have been fixed in newer versions.
Affected CVEs
| CVE | Issue | Fixed In |
|---|---|---|
| CVE-2025-53643 | Request Smuggling | aiohttp 3.12.14 |
| CVE-2025-69228 | DoS via large payloads | aiohttp 3.13.3 |
| CVE-2025-69226 | Static filepath info leak | aiohttp 3.13.3 |
| CVE-2025-69223 | Zip bomb DoS (auto_decompress) | aiohttp 3.13.3 |
Current State
- pulpcore 3.73.22 already supports
aiohttp<3.14,>=3.9.0✅ - pulpcore 3.49.49 is still constrained to
aiohttp<3.10.12,>=3.9.0❌
Request
Please backport aiohttp 3.13.x support to the 3.49 branch so downstream consumers (e.g., galaxy_ng stable-2.6) can receive these security fixes.
Impact
Pulpcore's content app uses aiohttp.web to serve content, which is the attack surface for these vulnerabilities. Downstream projects cannot fix this without pulpcore updating its aiohttp constraint.
Thank you!