fix(deps): vuln minor: aiohttp, requests · patch: msgpack [test/integration-test]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

• test/integration-test (pep621)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
aiohttp	3.9.0	3.13.5	minor	Direct	7 HIGH, 15 MODERATE, 2 MEDIUM, 16 LOW
requests	2.31.0	2.33.1	minor	Direct	6 MODERATE
msgpack	1.0.0	1.0.8	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (7 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
aiohttp	GHSA-5m98-qgg9-wh84	HIGH	aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests	3.9.0	3.9.4
aiohttp	CVE-2025-69223	HIGH	AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb	3.9.0	-
aiohttp	GHSA-5h86-8mv2-jq9f	HIGH	aiohttp is vulnerable to directory traversal	3.9.0	3.9.2
aiohttp	CVE-2024-23334	HIGH	aiohttp.web.static(follow_symlinks=True) is vulnerable to directory traversal	3.9.0	-
aiohttp	PYSEC-2024-24	HIGH	-	3.9.0	1c335944d6a8b1298baf179b7c0b3069f10c514b
aiohttp	GHSA-6mq8-rvhq-8wgg	HIGH	AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb	3.9.0	3.13.3
aiohttp	CVE-2024-30251	HIGH	Denial of service when trying to parse malformed POST requests in aiohttp	3.9.0	-

ℹ️ Other Vulnerabilities (39)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
aiohttp	PYSEC-2024-26	medium	-	3.9.0	33ccdfb0a12690af5bb49bda2319ec0907fa7827
aiohttp	CVE-2024-23829	medium	aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators	3.9.0	-
aiohttp	GHSA-c427-h43c-vf67	MODERATE	AIOHTTP accepts duplicate Host headers	3.9.0	3.13.4
aiohttp	GHSA-g84x-mcqj-x9qq	MODERATE	AIOHTTP vulnerable to DoS through chunked messages	3.9.0	3.13.3
aiohttp	GHSA-jj3x-wxrx-4x23	MODERATE	AIOHTTP vulnerable to DoS when bypassing asserts	3.9.0	3.13.3
aiohttp	CVE-2025-69227	MODERATE	AIOHTTP vulnerable to DoS when bypassing asserts	3.9.0	-
aiohttp	GHSA-8qpw-xqxj-h4r2	MODERATE	aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators	3.9.0	3.9.2
aiohttp	GHSA-6jhg-hg63-jvvf	MODERATE	AIOHTTP vulnerable to denial of service through large payloads	3.9.0	3.13.3
aiohttp	CVE-2025-69228	MODERATE	AIOHTTP vulnerable to denial of service through large payloads	3.9.0	-
aiohttp	GHSA-8495-4g3g-x7pr	MODERATE	aiohttp allows request smuggling due to incorrect parsing of chunk extensions	3.9.0	3.10.11
aiohttp	CVE-2024-52304	MODERATE	aiohttp vulnerable to request smuggling due to incorrect parsing of chunk extensions	3.9.0	-
aiohttp	GHSA-w2fm-2cpv-w7v5	MODERATE	aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage	3.9.0	3.13.4
aiohttp	GHSA-7gpw-8wmc-pm8g	MODERATE	aiohttp Cross-site Scripting vulnerability on index pages for static file handling	3.9.0	3.9.4
aiohttp	CVE-2024-27306	MODERATE	aiohttp vulnerable to XSS on index pages for static file handling	3.9.0	-
aiohttp	GHSA-p998-jp59-783m	MODERATE	AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows	3.9.0	3.13.4
aiohttp	GHSA-m5qp-6w8w-w647	MODERATE	AIOHTTP has a Multipart Header Size Bypass	3.9.0	3.13.4
aiohttp	CVE-2025-69229	MODERATE	AIOHTTP vulnerable to DoS through chunked messages	3.9.0	-
requests	GHSA-gc5v-m9x4-r6x2	MODERATE	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	2.31.0	2.33.0
requests	CVE-2026-25645	MODERATE	Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function	2.31.0	-
requests	GHSA-9hjg-9r4m-mvj7	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.31.0	2.32.4
requests	CVE-2024-47081	MODERATE	Requests vulnerable to .netrc credentials leak via malicious URLs	2.31.0	-
requests	GHSA-9wx4-h78v-vm56	MODERATE	Requests Session object does not verify requests after making first request with verify=False	2.31.0	2.32.0
requests	CVE-2024-35195	MODERATE	Requests Session object does not verify requests after making first request with verify=False	2.31.0	-
aiohttp	GHSA-54jq-c3m8-4m76	LOW	AIOHTTP vulnerable to brute-force leak of internal static file path components	3.9.0	3.13.3
aiohttp	GHSA-63hf-3vf5-4wqf	LOW	AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass	3.9.0	3.13.4
aiohttp	GHSA-2vrm-gr82-f7m5	LOW	AIOHTTP has CRLF injection through multipart part content type header construction	3.9.0	3.13.4
aiohttp	GHSA-9548-qrrj-x5pj	LOW	AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections	3.9.0	3.12.14
aiohttp	CVE-2025-53643	LOW	AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections	3.9.0	-
aiohttp	CVE-2025-69225	LOW	AIOHTTP Regex Mismatch Allows Unicode in ASCII-Only Protocol Fields	3.9.0	-
aiohttp	GHSA-mqqc-3gqh-h2x8	LOW	AIOHTTP has unicode match groups in regexes for ASCII protocol elements	3.9.0	3.13.3
aiohttp	GHSA-mwh4-6h8g-pg8w	LOW	AIOHTTP has HTTP response splitting via \r in reason phrase	3.9.0	3.13.4
aiohttp	GHSA-hcc4-c3v8-rx92	LOW	AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector	3.9.0	3.13.4
aiohttp	CVE-2025-69226	LOW	AIOHTTP allows for a brute-force leak of internal static filepath components	3.9.0	-
aiohttp	GHSA-fh55-r93g-j68g	LOW	AIOHTTP Vulnerable to Cookie Parser Warning Storm	3.9.0	3.13.3
aiohttp	GHSA-966j-vmvw-g2g9	LOW	AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect	3.9.0	3.13.4
aiohttp	CVE-2025-69224	LOW	AIOHTTP's Unicode processing of header values could cause parsing discrepancies	3.9.0	-
aiohttp	GHSA-69f9-5gxw-wvc2	LOW	AIOHTTP's unicode processing of header values could cause parsing discrepancies	3.9.0	3.13.3
aiohttp	GHSA-3wq7-rqq7-wx6j	LOW	AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS	3.9.0	3.13.4
aiohttp	CVE-2025-69230	LOW	AIOHTTP Vulnerable to Cookie Parser Warning Storm	3.9.0	-

⚠️ Dependencies that have Reached EOL (2)

Dependency	Unsafe Version	EOL Date	New Version	Path
msgpack	1.0.0	-	1.0.8	test/integration-test/pyproject.toml
requests	2.31.0	-	2.33.1	test/integration-test/pyproject.toml

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[datadog-prod-us1-3]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 51.08% (+0.00%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 21ad21d | Docs | Datadog PR Page | Give us feedback!}