From e9067237f2a3855a6eb82a56fe68d4a92cf681ba Mon Sep 17 00:00:00 2001
From: aivong-openhands <ai.vong@openhands.dev>
Date: Fri, 10 Apr 2026 15:08:57 -0500
Subject: [PATCH] Fix CVE-2025-64340: Update fastmcp to 3.2.0 (#13685)

Co-authored-by: openhands <openhands@all-hands.dev>
---
 enterprise/poetry.lock |  2 +-
 poetry.lock            |  2 +-
 pyproject.toml         |  4 ++--
 uv.lock                | 10 +++++-----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/enterprise/poetry.lock b/enterprise/poetry.lock
index c277ce3790..df1440c9c8 100644
--- a/enterprise/poetry.lock
+++ b/enterprise/poetry.lock
@@ -6499,7 +6499,7 @@ deprecation = ">=2.1"
 dirhash = "*"
 docker = "*"
 fastapi = "*"
-fastmcp = ">=3,<4"
+fastmcp = ">=3.2,<4"
 google-api-python-client = ">=2.164"
 google-auth-httplib2 = "*"
 google-auth-oauthlib = "*"
diff --git a/poetry.lock b/poetry.lock
index 8169ef4969..e7971a03b3 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -15030,4 +15030,4 @@ third-party-runtimes = ["daytona", "e2b-code-interpreter", "modal", "runloop-api
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.12,<3.14"
-content-hash = "eeddecc551f4ddf3a6518413e1ca1c5bd1db0a15dcc2bf530839b3fc866be1a4"
+content-hash = "888ee60c315d8a16bdc7d823157a7e730b2fa33920e528abe33d5323b362603b"
diff --git a/pyproject.toml b/pyproject.toml
index 24d21e10a5..226e3b65ed 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -34,7 +34,7 @@ dependencies = [
   "dirhash",
   "docker",
   "fastapi",
-  "fastmcp>=3,<4",
+  "fastmcp>=3.2,<4",
   "google-api-python-client>=2.164",
   "google-auth-httplib2",
   "google-auth-oauthlib",
@@ -212,7 +212,7 @@ prompt-toolkit = "^3.0.50"
 poetry = "^2.3.3"
 anyio = "4.9.0"
 pythonnet = { version = "*", markers = "sys_platform == 'win32'" }
-fastmcp = ">=3,<4"
+fastmcp = ">=3.2,<4"
 python-frontmatter = "^1.1.0"
 shellingham = "^1.5.4"
 # TODO: Should these go into the runtime group?
diff --git a/uv.lock b/uv.lock
index 9f21dd0955..4593a7afb0 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1393,7 +1393,7 @@ wheels = [
 
 [[package]]
 name = "fastmcp"
-version = "3.1.0"
+version = "3.2.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "authlib" },
@@ -1418,9 +1418,9 @@ dependencies = [
     { name = "watchfiles" },
     { name = "websockets" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/0a/70/862026c4589441f86ad3108f05bfb2f781c6b322ad60a982f40b303b47d7/fastmcp-3.1.0.tar.gz", hash = "sha256:e25264794c734b9977502a51466961eeecff92a0c2f3b49c40c070993628d6d0", size = 17347083, upload-time = "2026-03-03T02:43:11.283Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d0/32/4f1b2cfd7b50db89114949f90158b1dcc2c92a1917b9f57c0ff24e47a2f4/fastmcp-3.2.0.tar.gz", hash = "sha256:d4830b8ffc3592d3d9c76dc0f398904cf41f04910e41a0de38cc1004e0903bef", size = 26318581, upload-time = "2026-03-30T20:25:37.692Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/17/07/516f5b20d88932e5a466c2216b628e5358a71b3a9f522215607c3281de05/fastmcp-3.1.0-py3-none-any.whl", hash = "sha256:b1f73b56fd3b0cb2bd9e2a144fc650d5cc31587ed129d996db7710e464ae8010", size = 633749, upload-time = "2026-03-03T02:43:09.06Z" },
+    { url = "https://files.pythonhosted.org/packages/4f/67/684fa2d2de1e7504549d4ca457b4f854ccec3cd3be03bd86b33b599fbf58/fastmcp-3.2.0-py3-none-any.whl", hash = "sha256:e71aba3df16f86f546a4a9e513261d3233bcc92bef0dfa647bac3fa33623f681", size = 705550, upload-time = "2026-03-30T20:25:35.499Z" },
 ]
 
 [[package]]
@@ -3803,7 +3803,7 @@ requires-dist = [
     { name = "docker" },
     { name = "e2b-code-interpreter", marker = "extra == 'third-party-runtimes'", specifier = ">=2" },
     { name = "fastapi" },
-    { name = "fastmcp", specifier = ">=3,<4" },
+    { name = "fastmcp", specifier = ">=3.2,<4" },
     { name = "google-api-python-client", specifier = ">=2.164" },
     { name = "google-auth-httplib2" },
     { name = "google-auth-oauthlib" },
@@ -3859,7 +3859,7 @@ requires-dist = [
     { name = "qtconsole", specifier = ">=5.6.1" },
     { name = "rapidfuzz", specifier = ">=3.9" },
     { name = "redis", specifier = ">=5.2,<7" },
-    { name = "requests", specifier = ">=2.33.0" },
+    { name = "requests", specifier = ">=2.33" },
     { name = "runloop-api-client", marker = "extra == 'third-party-runtimes'", specifier = "==0.50" },
     { name = "setuptools", specifier = ">=78.1.1" },
     { name = "shellingham", specifier = ">=1.5.4" },