From 0f1ad46a4720892af273049386bf08eb39cd611f Mon Sep 17 00:00:00 2001
From: aivong-openhands <ai.vong@openhands.dev>
Date: Tue, 24 Feb 2026 10:55:32 -0600
Subject: [PATCH] Fix CVE-2025-62727: Update starlette to 0.49.1 (#13016)

Co-authored-by: OpenHands CVE Fix Bot <openhands@all-hands.dev>
Co-authored-by: Ray Myers <ray.myers@gmail.com>
---
 poetry.lock    | 8 ++++----
 pyproject.toml | 4 ++--
 uv.lock        | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index 202d8201e1..342f5cb555 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -13161,14 +13161,14 @@ files = [
 
 [[package]]
 name = "starlette"
-version = "0.48.0"
+version = "0.49.1"
 description = "The little ASGI library that shines."
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "starlette-0.48.0-py3-none-any.whl", hash = "sha256:0764ca97b097582558ecb498132ed0c7d942f233f365b86ba37770e026510659"},
-    {file = "starlette-0.48.0.tar.gz", hash = "sha256:7e8cee469a8ab2352911528110ce9088fdc6a37d9876926e73da7ce4aa4c7a46"},
+    {file = "starlette-0.49.1-py3-none-any.whl", hash = "sha256:d92ce9f07e4a3caa3ac13a79523bd18e3bc0042bb8ff2d759a8e7dd0e1859875"},
+    {file = "starlette-0.49.1.tar.gz", hash = "sha256:481a43b71e24ed8c43b11ea02f5353d77840e01480881b8cb5a26b8cae64a8cb"},
 ]
 
 [package.dependencies]
@@ -14724,4 +14724,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.12,<3.14"
-content-hash = "91cf4d77b664da6d531d557c21c0d3b200a2974b96a7bb85bb53f00960ca7ac6"
+content-hash = "4a60b2d840718caa7e16ffacb06e32c07317645ff880c6af012afe6097db1337"
diff --git a/pyproject.toml b/pyproject.toml
index 59a1d705aa..0a06ed5643 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -91,7 +91,7 @@ dependencies = [
   "shellingham>=1.5.4",
   "sqlalchemy[asyncio]>=2.0.40",
   "sse-starlette>=3.0.2",
-  "starlette>=0.48",
+  "starlette>=0.49.1",
   "tenacity>=8.5,<10",
   "termcolor",
   "toml",
@@ -221,7 +221,7 @@ bashlex = "^0.18"
 # Explicitly pinned packages for latest versions
 pypdf = "^6.0.0"
 pillow = "^11.3.0"
-starlette = "^0.48.0"
+starlette = "^0.49.1"
 urllib3 = "^2.6.3"
 requests = "^2.32.5"
 setuptools = ">=78.1.1"
diff --git a/uv.lock b/uv.lock
index 4981c6bdff..20b6f68e4f 100644
--- a/uv.lock
+++ b/uv.lock
@@ -3823,7 +3823,7 @@ requires-dist = [
     { name = "shellingham", specifier = ">=1.5.4" },
     { name = "sqlalchemy", extras = ["asyncio"], specifier = ">=2.0.40" },
     { name = "sse-starlette", specifier = ">=3.0.2" },
-    { name = "starlette", specifier = ">=0.48" },
+    { name = "starlette", specifier = ">=0.49.1" },
     { name = "tenacity", specifier = ">=8.5,<10" },
     { name = "termcolor" },
     { name = "toml" },