[Aikido] Fix 14 security issues in pypdf, aiohttp, protobuf and 1 more

[aikido-autofix]

Upgrade pypdf, aiohttp, protobuf to address critical DoS and memory exhaustion vulnerabilities in PDF parsing, HTTP request handling, and protobuf parsing.

✅ 14 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-24688	HIGH	[pypdf] Infinite loop vulnerability in PDF parsing allows crafting a malicious PDF that triggers an endless processing cycle when accessing document outlines/bookmarks, potentially causing denial of service through resource exhaustion.
CVE-2025-66019	MEDIUM	[pypdf] Memory exhaustion vulnerability in PDF parsing where crafting a malicious PDF with LZWDecode filter can cause excessive memory consumption, potentially leading to denial of service by allocating up to 1 GB of memory per stream.
CVE-2026-22691	MEDIUM	[pypdf] Possible long runtime vulnerability in non-strict PDF reading mode. Crafted PDFs with excessive whitespace can cause significant processing delays, potentially leading to a denial of service (DoS) condition during cross-reference table reconstruction.
CVE-2026-22690	LOW	[pypdf] Denial of Service (DoS) vulnerability where crafting a malicious PDF with a large /Size value and missing /Root object can cause extremely long processing times in non-strict reading mode, potentially causing application unresponsiveness.
CVE-2025-69223	HIGH	[aiohttp] A zip bomb vulnerability allows attackers to send compressed requests that, when decompressed, can exhaust server memory, causing a Denial of Service (DoS) attack against the HTTP server.
CVE-2025-69227	HIGH	[aiohttp] A DoS vulnerability allows attackers to trigger an infinite loop when processing POST bodies by bypassing assert statements, potentially causing the application to become unresponsive if optimizations are enabled.
CVE-2025-69228	HIGH	[aiohttp] Memory exhaustion vulnerability where crafting a specific request causes the server to consume excessive memory when processing POST requests, potentially leading to a Denial of Service (DoS) by freezing the server.
CVE-2025-69224	MEDIUM	[aiohttp] HTTP parser vulnerability allows request smuggling attacks when non-ASCII characters are present, potentially bypassing firewall/proxy protections if pure Python version is used. Enables attackers to manipulate HTTP request parsing and potentially compromise network security.
CVE-2025-69229	MEDIUM	[aiohttp] A vulnerability in chunked message handling can cause excessive CPU blocking when processing large chunk requests. An attacker could trigger prolonged server processing, potentially causing a Denial of Service (DoS) by consuming server resources.
CVE-2025-69225	MEDIUM	[aiohttp] Potential HTTP request smuggling vulnerability in parser logic allows non-ASCII decimals in Range headers, which could potentially enable malicious manipulation of HTTP requests with unknown security implications.
CVE-2025-69226	MEDIUM	[aiohttp] Information disclosure vulnerability in static file handling allows attackers to probe and confirm existence of absolute path components through path normalization logic, potentially revealing server filesystem structure.
CVE-2025-69230	MEDIUM	[aiohttp] Vulnerability allows attackers to trigger excessive logging by sending maliciously crafted Cookie headers, potentially causing a logging storm that could impact application performance and log storage.
CVE-2026-0994	HIGH	[protobuf] Denial-of-service vulnerability allows bypassing recursion depth limits when parsing nested Any messages, potentially causing Python to exhaust its recursion stack and crash via maliciously crafted input.
GHSA-rcfx-77hg-w2wv	HIGH	[fastmcp] A vulnerability in the MCP SDK allows remote code execution via improper input validation, potentially enabling attackers to execute arbitrary code or commands on affected systems by crafting malicious input payloads.