Skip to content

Fix CVE-2025-62727: Update starlette to 0.49.1#13016

Merged
aivong-openhands merged 4 commits intomainfrom
fix-cve-2025-62727
Feb 24, 2026
Merged

Fix CVE-2025-62727: Update starlette to 0.49.1#13016
aivong-openhands merged 4 commits intomainfrom
fix-cve-2025-62727

Conversation

@aivong-openhands
Copy link
Copy Markdown
Contributor

@aivong-openhands aivong-openhands commented Feb 23, 2026
edited by github-actions Bot
Loading

Summary

This PR addresses the security vulnerability CVE-2025-62727 by updating the starlette package from version 0.48.0 to 0.49.1.

Changes

  • Updated pyproject.toml:
    • Changed starlette minimum version from >=0.48 to >=0.49.1
    • Changed starlette pinned version from ^0.48.0 to ^0.49.1
  • Updated poetry.lock with new starlette 0.49.1 version and SHA256 hashes
  • Updated uv.lock starlette specifier to >=0.49.1

Security

  • CVE ID: CVE-2025-62727
  • Package: starlette
  • Previous Version: 0.48.0
  • Fixed Version: 0.49.1

Testing

This is a security patch that updates a dependency version. The package APIs remain compatible.

@aivong-openhands can click here to continue refining the PR

To run this PR locally, use the following command:

GUI with Docker:

docker run -it --rm   -p 3000:3000   -v /var/run/docker.sock:/var/run/docker.sock   --add-host host.docker.internal:host-gateway   -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.openhands.dev/openhands/runtime:8a7aded-nikolaik   --name openhands-app-8a7aded   docker.openhands.dev/openhands/openhands:8a7aded

@openhands-agent
Fix CVE-2025-62727: Update starlette to 0.49.1
b1bb2d0 
This commit updates the starlette package from version 0.48.0 to 0.49.1
to address the security vulnerability CVE-2025-62727.

Changes:
- Updated pyproject.toml starlette minimum version to >=0.49.1
- Updated poetry.lock with new starlette 0.49.1 version and hashes
- Updated uv.lock starlette specifier to >=0.49.1

Co-authored-by: openhands <openhands@all-hands.dev>
@raymyers
Copy link
Copy Markdown
Contributor

raymyers commented Feb 23, 2026

Starlette upgrade looks safe.

https://starlette.dev/release-notes/#0490-october-28-2025

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 24, 2026

Coverage report

This PR does not seem to contain any modification to coverable code.

@aivong-openhands
Copy link
Copy Markdown
Contributor Author

aivong-openhands commented Feb 24, 2026

I was able to have a successful conversation with OpenHands:

Screenshot 2026-02-24 at 10 49 22 AM

@aivong-openhands aivong-openhands marked this pull request as ready for review February 24, 2026 16:50
all-hands-bot
all-hands-bot reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@all-hands-bot all-hands-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Good taste - Security fix done right

This is a straightforward security patch. All lock files are updated consistently, the version bump is correct, and the change is minimal. The proof is in CI passing.

VERDICT: ✅ Worth merging - Simple, correct security fix with no real concerns.

KEY INSIGHT: When a security fix is this simple, the biggest risk is overthinking it—ship it once CI confirms compatibility.

Comment thread pyproject.toml
"sqlalchemy[asyncio]>=2.0.40",
"sse-starlette>=3.0.2",
"starlette>=0.48",
"starlette>=0.49.1",
Copy link
Copy Markdown
Collaborator

@all-hands-bot all-hands-bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Suggestion: The PR description claims "The package APIs remain compatible" but provides no source. Consider linking to the Starlette 0.49.1 release notes or changelog so reviewers can verify compatibility claims. Not blocking—CI passing is the real proof—but helpful for documentation.

Comment thread pyproject.toml
pypdf = "^6.0.0"
pillow = "^11.3.0"
starlette = "^0.48.0"
starlette = "^0.49.1"
Copy link
Copy Markdown
Collaborator

@all-hands-bot all-hands-bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Correctly updated both the dependency constraint (line 94) and the explicit pin (line 224). This is the right way to handle security updates across both places.

@aivong-openhands aivong-openhands merged commit 0f1ad46 into main Feb 24, 2026
18 checks passed
@aivong-openhands aivong-openhands deleted the fix-cve-2025-62727 branch February 24, 2026 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@all-hands-bot all-hands-bot all-hands-bot left review comments

@raymyers raymyers raymyers approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aivong-openhands @raymyers @all-hands-bot @openhands-agent