Update aiohttp dependency to fix 9 security vulnerabilities (CVEs)

[genyk1p]

Problem

inference-sdk (latest version 0.63.5) pins aiohttp to <=3.10.11, which has 9 known CVEs:

CVE	Severity	Description
CVE-2025-53643	High	Request smuggling vulnerability
CVE-2025-69223	High	Zip bomb DoS
CVE-2025-69224	Medium	Request smuggling with non-ASCII
CVE-2025-69228	High	Memory exhaustion
CVE-2025-69229	Medium	Chunked message DoS
CVE-2025-69230	Medium	Logging storm
CVE-2025-69226	High	Path traversal
CVE-2025-69227	Medium	Infinite loop DoS
CVE-2025-69225	Low	Non-ASCII decimals in Range header

Current constraint

aiohttp<=3.10.11,>=3.9.0

Request

Please update the aiohttp dependency to >=3.13.3 (or remove the upper bound) to allow users to fix these security vulnerabilities.

Impact

Projects using inference-sdk cannot update aiohttp to patched versions, leaving them exposed to these CVEs.

References

• aiohttp security advisories
• CVE-2025-53643

Thank you!

[PawelPeczek-Roboflow]

Hi, the issue has been resolved:
#2069
https://github.com/roboflow/inference/pull/2071/changes
Sorry for not reporting back here.