Skip to content

Make aiohttp version requirements consistent; address CVE-2025-69223#693

Merged
rbs-jacob merged 4 commits into
masterfrom
maintenance/aiohttp_requirements
Feb 13, 2026
Merged

Make aiohttp version requirements consistent; address CVE-2025-69223#693
rbs-jacob merged 4 commits into
masterfrom
maintenance/aiohttp_requirements

Conversation

@ANogin
Copy link
Copy Markdown
Contributor

@ANogin ANogin commented Feb 1, 2026
edited
Loading

  • I have reviewed the OFRAK contributor guide and attest that this pull request is in accordance with it.
  • I have made or updated a changelog entry for the changes in this pull request.

One sentence summary of this PR (This should go in the CHANGELOG!)

Bump aiohttp to >=3.13.3 to address CVE-2025-69223

Link to Related Issue(s)

N/A

Please describe the changes in your request.

We used to have:

ofrak_core/setup.py:        "aiohttp>=3.12.14",
ofrak_core/requirements.txt:aiohttp>=3.12.14
disassemblers/ofrak_ghidra/setup.py:        "aiohttp~=3.12.14",
disassemblers/ofrak_ghidra/requirements.txt:aiohttp>=3.12.14

but the >= requirements were resulting in aiohttp 3.13.x getting installed, which then clashed with ofrak_ghidra's setup.py

At the same time, 3.12.14 (all <= 3.13.2) have a security vulnerability (CVE-2025-69223)

This changes both setup.py to >= 3.13.3 and requirements.txt to use ==3.13.3

Anyone you think should look at this, specifically?

@whyitfor

Make aiohttp version requirements consistent
5c3507f 
We used to have:
```
ofrak_core/setup.py:        "aiohttp>=3.12.14",
ofrak_core/requirements.txt:aiohttp>=3.12.14
disassemblers/ofrak_ghidra/setup.py:        "aiohttp~=3.12.14",
disassemblers/ofrak_ghidra/requirements.txt:aiohttp>=3.12.14
```
but the `>=` requirements were resulting in `aiohttp` 3.13.x getting
installed, which then clashed with `ofrak_ghidra`'s `setup.py`

This changes both `requirements.txt` to use `=~3.12.14`
@ANogin ANogin requested a review from whyitfor February 1, 2026 13:48
@ANogin ANogin self-assigned this Feb 1, 2026
@ANogin ANogin mentioned this pull request Feb 1, 2026
Open
4 tasks
@claude
Bump aiohttp to >=3.13.3 to address CVE-2025-69223
fa4ea89 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@ANogin ANogin changed the title Make aiohttp version requirements consistent Make aiohttp version requirements consistent; address CVE-2025-69223 Feb 3, 2026
whyitfor
whyitfor requested changes Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@whyitfor whyitfor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to bump ofrak and ofrak_ghidra rc version numbers with this change.

@ANogin ANogin requested a review from whyitfor February 4, 2026 04:52
@whyitfor whyitfor requested a review from rbs-jacob February 11, 2026 18:42
rbs-jacob
rbs-jacob approved these changes Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rbs-jacob rbs-jacob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed that this is not a breaking change with regards to internal projects that use OFRAK.

@rbs-jacob rbs-jacob merged commit a54b2b5 into master Feb 13, 2026
189 of 191 checks passed
@whyitfor whyitfor deleted the maintenance/aiohttp_requirements branch March 23, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rbs-jacob rbs-jacob rbs-jacob approved these changes

@whyitfor whyitfor Awaiting requested review from whyitfor

Assignees

@ANogin ANogin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ANogin @whyitfor @rbs-jacob