[Bugfix] Update aiohttp to resolve CVE-2024-23334 vulnerability

[ikaadil]

…equirements.txt

FILL IN THE PR DESCRIPTION HERE

FIX #714

BEFORE SUBMITTING, PLEASE READ THE CHECKLIST BELOW AND FILL IN THE DESCRIPTION ABOVE

---

• Make sure the code changes pass the pre-commit checks.
• Sign-off your commit by using -s when doing git commit
• Try to classify PRs for easy understanding of the type of changes, such as [Bugfix], [Feat], and [CI].

Detailed Checklist (Click to Expand)

Thank you for your contribution to production-stack! Before submitting the pull request, please ensure the PR meets the following criteria. This helps us maintain the code quality and improve the efficiency of the review process.

PR Title and Classification

Please try to classify PRs for easy understanding of the type of changes. The PR title is prefixed appropriately to indicate the type of change. Please use one of the following:

• [Bugfix] for bug fixes.
• [CI/Build] for build or continuous integration improvements.
• [Doc] for documentation fixes and improvements.
• [Feat] for new features in the cluster (e.g., autoscaling, disaggregated prefill, etc.).
• [Router] for changes to the vllm_router (e.g., routing algorithm, router observability, etc.).
• [Misc] for PRs that do not fit the above categories. Please use this sparingly.

Note: If the PR spans more than one category, please include all relevant prefixes.

Code Quality

The PR need to meet the following code quality standards:

• Pass all linter checks. Please use pre-commit to format your code. See README.md for installation.
• The code need to be well-documented to ensure future contributors can easily understand the code.
• Please include sufficient tests to ensure the change is stay correct and robust. This includes both unit tests and integration tests.

DCO and Signed-off-by

When contributing changes to this project, you must agree to the DCO. Commits must include a Signed-off-by: header which certifies agreement with the terms of the DCO.

Using -s with git commit will automatically add this header.

What to Expect for the Reviews

We aim to address all PRs in a timely manner. If no one reviews your PR within 5 days, please @-mention one of YuhanLiu11
, Shaoting-Feng or ApostaC.

[gemini-code-assist]

Summary of Changes

Hello @ikaadil, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical security update by upgrading the aiohttp dependency to a newer, more secure version. The primary goal is to mitigate a known vulnerability (CVE-2024-23334) and ensure the continued stability and security of the project's components, particularly within the vllm_router.

Highlights

• Dependency Update: The aiohttp library has been updated to version 3.12.15 across the project's dependency configurations. This update includes the [speedups] extra for enhanced performance.
• Security Fix: This update specifically addresses and resolves the CVE-2024-23334 vulnerability, enhancing the security posture of the application.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to fix a security vulnerability (CVE-2024-23334) in aiohttp by updating its version. While updating is the correct approach, the target version 3.12.15 specified in the changes does not seem to exist for aiohttp, which would cause dependency installation to fail. I've left comments with suggestions to use the latest valid version, 3.9.5, which resolves the vulnerability.

[ikaadil]

Security Fix: aiohttp vulnerability resolved

Problem

The current aiohttp version 3.9.1 has a high-severity vulnerability CVE-2024-23334 with EPSS score of 93.6%. This was flagged by grype scanner as a critical security issue.

Before the fix (main branch)

grype lmcache/lmstack-router:latest

Found 95 total vulnerabilities including these aiohttp issues:

aiohttp    3.9.1    3.9.2     python  GHSA-5h86-8mv2-jq9f  High     93.6% (99th)   62.7   
aiohttp    3.9.1    3.9.4     python  GHSA-7gpw-8wmc-pm8g  Medium    0.7% (72nd)    0.4    
aiohttp    3.9.1    3.9.4     python  GHSA-5m98-qgg9-wh84  High      0.3% (52nd)    0.2    
aiohttp    3.9.1    3.9.2     python  GHSA-8qpw-xqxj-h4r2  Medium    0.2% (45th)    0.1    
aiohttp    3.9.1    3.10.11   python  GHSA-8495-4g3g-x7pr  Medium    0.2% (44th)    0.1    
aiohttp    3.9.1    3.12.14   python  GHSA-9548-qrrj-x5pj  Low      < 0.1% (13th)  < 0.1  

After the fix (this branch)

grype lmcache/lmstack-router:latest

Results:

• Total vulnerabilities: 89 (down from 95)
• High severity: 6 (down from 8)
• aiohttp vulnerabilities: 0 (down from 6)

No aiohttp vulnerabilities found in the scan results.

Full grype output:

NAME                     INSTALLED                FIXED IN           TYPE    VULNERABILITY        SEVERITY    EPSS           RISK   
login.defs               1:4.17.4-2               (won't fix)        deb     CVE-2024-56433       Low         3.6% (87th)    1.2    
passwd                   1:4.17.4-2               (won't fix)        deb     CVE-2024-56433       Low         3.6% (87th)    1.2    
libgnutls30t64           3.8.9-3                                     deb     CVE-2011-3389        Negligible  4.6% (88th)    0.2    
python                   3.12.11                  3.13.6, 3.14.0rc2  binary  CVE-2025-8194        High        0.2% (43rd)    0.2    
libldap2                 2.6.10+dfsg-1                               deb     CVE-2017-17740       Negligible  2.8% (85th)    0.1    
libc-bin                 2.41-12                                     deb     CVE-2018-20796       Negligible  1.8% (82nd)    < 0.1  
libc6                    2.41-12                                     deb     CVE-2018-20796       Negligible  1.8% (82nd)    < 0.1  
libldap2                 2.6.10+dfsg-1                               deb     CVE-2015-3276        Negligible  1.8% (82nd)    < 0.1  
tar                      1.35+dfsg-3.1                               deb     CVE-2005-2541        Negligible  1.6% (80th)    < 0.1  
apt                      3.0.3                                       deb     CVE-2011-3374        Negligible  1.6% (80th)    < 0.1  
libapt-pkg7.0            3.0.3                                       deb     CVE-2011-3374        Negligible  1.6% (80th)    < 0.1  
libexpat1                2.7.1-2                                     deb     CVE-2025-59375       High        < 0.1% (23rd)  < 0.1  
libcurl3t64-gnutls       8.14.1-2                 (won't fix)        deb     CVE-2025-9086        High        < 0.1% (22nd)  < 0.1  
python                   3.12.11                  3.13.6, 3.14.0b3   binary  CVE-2025-6069        Medium      < 0.1% (26th)  < 0.1  
libc-bin                 2.41-12                                     deb     CVE-2019-1010023     Negligible  0.7% (71st)    < 0.1  
libc6                    2.41-12                                     deb     CVE-2019-1010023     Negligible  0.7% (71st)    < 0.1  
starlette                0.45.3                   0.47.2             python  GHSA-2c2j-9gv5-cj73  Medium      < 0.1% (21st)  < 0.1  
git                      1:2.47.3-0+deb13u1                          deb     CVE-2022-24975       Negligible  0.7% (70th)    < 0.1  
git-man                  1:2.47.3-0+deb13u1                          deb     CVE-2022-24975       Negligible  0.7% (70th)    < 0.1  
libsqlite3-0             3.46.1-7                 (won't fix)        deb     CVE-2025-7709        Medium      < 0.1% (14th)  < 0.1  
pip                      25.2                                        python  GHSA-4xh5-x5gv-qwph  Medium      < 0.1% (17th)  < 0.1  
libgssapi-krb5-2         1.21.3-5                                    deb     CVE-2018-5709        Negligible  0.5% (63rd)    < 0.1  
libk5crypto3             1.21.3-5                                    deb     CVE-2018-5709        Negligible  0.5% (63rd)    < 0.1  
libkrb5-3                1.21.3-5                                    deb     CVE-2018-5709        Negligible  0.5% (63rd)    < 0.1  
libkrb5support0          1.21.3-5                                    deb     CVE-2018-5709        Negligible  0.5% (63rd)    < 0.1  
libc-bin                 2.41-12                                     deb     CVE-2019-1010024     Negligible  0.4% (58th)    < 0.1  
libc6                    2.41-12                                     deb     CVE-2019-1010024     Negligible  0.4% (58th)    < 0.1  
libc-bin                 2.41-12                                     deb     CVE-2010-4756        Negligible  0.4% (58th)    < 0.1  
libc6                    2.41-12                                     deb     CVE-2010-4756        Negligible  0.4% (58th)    < 0.1  
libc-bin                 2.41-12                                     deb     CVE-2019-9192        Negligible  0.4% (57th)    < 0.1  
libc6                    2.41-12                                     deb     CVE-2019-9192        Negligible  0.4% (57th)    < 0.1  
libcurl3t64-gnutls       8.14.1-2                 (won't fix)        deb     CVE-2025-10148       Medium      < 0.1% (8th)   < 0.1  
git                      1:2.47.3-0+deb13u1                          deb     CVE-2018-1000021     Negligible  0.3% (53rd)    < 0.1  
git-man                  1:2.47.3-0+deb13u1                          deb     CVE-2018-1000021     Negligible  0.3% (53rd)    < 0.1  
libssl3t64               3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9230        High        < 0.1% (3rd)   < 0.1  
openssl                  3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9230        High        < 0.1% (3rd)   < 0.1  
openssl-provider-legacy  3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9230        High        < 0.1% (3rd)   < 0.1  
libssl3t64               3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9232        Medium      < 0.1% (5th)   < 0.1  
openssl                  3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9232        Medium      < 0.1% (5th)   < 0.1  
openssl-provider-legacy  3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9232        Medium      < 0.1% (5th)   < 0.1  
libsqlite3-0             3.46.1-7                                    deb     CVE-2021-45346       Negligible  0.2% (47th)    < 0.1  
libc-bin                 2.41-12                                     deb     CVE-2019-1010025     Negligible  0.2% (45th)    < 0.1  
libc6                    2.41-12                                     deb     CVE-2019-1010025     Negligible  0.2% (45th)    < 0.1  
libgssapi-krb5-2         1.21.3-5                                    deb     CVE-2024-26458       Negligible  0.2% (43rd)    < 0.1  
libk5crypto3             1.21.3-5                                    deb     CVE-2024-26458       Negligible  0.2% (43rd)    < 0.1  
libkrb5-3                1.21.3-5                                    deb     CVE-2024-26458       Negligible  0.2% (43rd)    < 0.1  
libkrb5support0          1.21.3-5                                    deb     CVE-2024-26458       Negligible  0.2% (43rd)    < 0.1  
libperl5.40              5.40.1-6                                    deb     CVE-2011-4116        Negligible  0.2% (42nd)    < 0.1  
perl                     5.40.1-6                                    deb     CVE-2011-4116        Negligible  0.2% (42nd)    < 0.1  
perl-base                5.40.1-6                                    deb     CVE-2011-4116        Negligible  0.2% (42nd)    < 0.1  
perl-modules-5.40        5.40.1-6                                    deb     CVE-2011-4116        Negligible  0.2% (42nd)    < 0.1  
login.defs               1:4.17.4-2                                  deb     CVE-2007-5686        Negligible  0.2% (36th)    < 0.1  
passwd                   1:4.17.4-2                                  deb     CVE-2007-5686        Negligible  0.2% (36th)    < 0.1  
libssl3t64               3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9231        Medium      < 0.1% (1st)   < 0.1  
openssl                  3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9231        Medium      < 0.1% (1st)   < 0.1  
openssl-provider-legacy  3.5.1-1                  3.5.1-1+deb13u1    deb     CVE-2025-9231        Medium      < 0.1% (1st)   < 0.1  
libc-bin                 2.41-12                                     deb     CVE-2019-1010022     Negligible  0.1% (35th)    < 0.1  
libc6                    2.41-12                                     deb     CVE-2019-1010022     Negligible  0.1% (35th)    < 0.1  
libldap2                 2.6.10+dfsg-1                               deb     CVE-2020-15719       Negligible  0.1% (34th)    < 0.1  
libsystemd0              257.8-1~deb13u2                             deb     CVE-2023-31437       Negligible  0.1% (33rd)    < 0.1  
libudev1                 257.8-1~deb13u2                             deb     CVE-2023-31437       Negligible  0.1% (33rd)    < 0.1  
libncursesw6             6.5+20250216-2           (won't fix)        deb     CVE-2025-6141        Low         < 0.1% (3rd)   < 0.1  
libtinfo6                6.5+20250216-2           (won't fix)        deb     CVE-2025-6141        Low         < 0.1% (3rd)   < 0.1  
ncurses-base             6.5+20250216-2           (won't fix)        deb     CVE-2025-6141        Low         < 0.1% (3rd)   < 0.1  
ncurses-bin              6.5+20250216-2           (won't fix)        deb     CVE-2025-6141        Low         < 0.1% (3rd)   < 0.1  
libldap2                 2.6.10+dfsg-1                               deb     CVE-2017-14159       Negligible  0.1% (30th)    < 0.1  
libsystemd0              257.8-1~deb13u2                             deb     CVE-2023-31438       Negligible  0.1% (28th)    < 0.1  
libudev1                 257.8-1~deb13u2                             deb     CVE-2023-31438       Negligible  0.1% (28th)    < 0.1  
git                      1:2.47.3-0+deb13u1                          deb     CVE-2024-52005       Negligible  0.1% (28th)    < 0.1  
git-man                  1:2.47.3-0+deb13u1                          deb     CVE-2024-52005       Negligible  0.1% (28th)    < 0.1  
libsystemd0              257.8-1~deb13u2                             deb     CVE-2023-31439       Negligible  < 0.1% (27th)  < 0.1  
libudev1                 257.8-1~deb13u2                             deb     CVE-2023-31439       Negligible  < 0.1% (27th)  < 0.1  
libsystemd0              257.8-1~deb13u2                             deb     CVE-2013-4392        Negligible  < 0.1% (21st)  < 0.1  
libudev1                 257.8-1~deb13u2                             deb     CVE-2013-4392        Negligible  < 0.1% (21st)  < 0.1  
libgssapi-krb5-2         1.21.3-5                                    deb     CVE-2024-26461       Negligible  < 0.1% (20th)  < 0.1  
libk5crypto3             1.21.3-5                                    deb     CVE-2024-26461       Negligible  < 0.1% (20th)  < 0.1  
libkrb5-3                1.21.3-5                                    deb     CVE-2024-26461       Negligible  < 0.1% (20th)  < 0.1  
libkrb5support0          1.21.3-5                                    deb     CVE-2024-26461       Negligible  < 0.1% (20th)  < 0.1  
coreutils                9.7-3                                       deb     CVE-2017-18018       Negligible  < 0.1% (17th)  < 0.1  
bsdutils                 1:2.41-5                                    deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
libblkid1                2.41-5                                      deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
liblastlog2-2            2.41-5                                      deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
libmount1                2.41-5                                      deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
libsmartcols1            2.41-5                                      deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
libuuid1                 2.41-5                                      deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
login                    1:4.16.0-2+really2.41-5                     deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
mount                    2.41-5                                      deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
util-linux               2.41-5                                      deb     CVE-2022-0563        Negligible  < 0.1% (5th)   < 0.1  
coreutils                9.7-3                                       deb     CVE-2025-5278        Negligible  < 0.1% (5th)   < 0.1

Summary

• Fixed CVE-2024-23334 vulnerability
• Reduced total vulnerability count by 6
• Reduced high severity vulnerabilities by 2
• All aiohttp security issues resolved

The fix is ready for merge.

[zerofishnoodles]

Can you use the latest stable version since you want to update it?

[ikaadil]

Can you use the latest stable version since you want to update it?

Ha ha. They just released a new version after my change. I am updating the version. Thanks.

[zerofishnoodles]

LGTM