Fix CVE-2025-67221: Update orjson to 3.11.6+ (#13371)

Co-authored-by: OpenHands CVE Fix Bot <openhands@all-hands.dev>
2026-03-22 05:37:20 +08:00 · 2026-03-13 06:58:56 -05:00
parent 8799c07027
commit e82bf44324
3 changed files with 113 additions and 122 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -62,6 +62,7 @@ dependencies = [
  "openhands-tools==1.13",
  "opentelemetry-api>=1.33.1",
  "opentelemetry-exporter-otlp-proto-grpc>=1.33.1",
+  "orjson>=3.11.6",
  "pathspec>=0.12.1",
  "pexpect",
  "pg8000>=1.31.5",
@@ -163,6 +164,7 @@ include = [
 [tool.poetry.dependencies]
 python = "^3.12,<3.14"
 authlib = ">=1.6.7"                                # Pinned to fix CVE-2026-28802
+orjson = ">=3.11.6"                                # Pinned to fix CVE-2025-67221
 litellm = ">=1.74.3, !=1.64.4, !=1.67.*"           # avoid 1.64.4 (known bug) & 1.67.* (known bug #10272)
 openai = "2.8.0"                                   # Pin due to litellm incompatibility with >=1.100.0 (BerriAI/litellm#13711)
 aiohttp = ">=3.13.3"                               # Pin to avoid CVE-2025-69223 (vulnerable versions < 3.13.3)