[Aikido] Fix 2 critical issues in pyyaml and 14 other issues

[aikido-autofix]

Upgrade PyYAML, urllib3, and requests to address critical RCE and information disclosure vulnerabilities in YAML parsing and HTTP client libraries.

✅ 16 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2020-14343	🚨 CRITICAL	[pyyaml] Arbitrary code execution vulnerability in YAML processing when handling untrusted input through full_load or FullLoader, allowing attackers to execute arbitrary code via malicious YAML constructs.
CVE-2017-18342	🚨 CRITICAL	[pyyaml] In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
CVE-2023-43804	HIGH	[urllib3] A vulnerability allows unintended cookie leakage via HTTP redirects to different origins when users specify a Cookie header without explicitly disabling redirects. This can lead to information disclosure as sensitive cookie data may be exposed to unintended recipients.
CVE-2019-11324	HIGH	[urllib3] SSL certificate verification can be bypassed when custom CA certificates are specified, allowing connections that should fail to succeed due to improper handling of certificate validation contexts.
CVE-2025-66471	HIGH	[urllib3] The Streaming API improperly handles highly compressed data, allowing attackers to cause excessive CPU usage and massive memory allocation through decompression of small compressed payloads. This results in a denial-of-service vulnerability via resource exhaustion.
CVE-2026-21441	HIGH	[urllib3] Decompression bomb vulnerability in streaming API for HTTP redirects. Malicious servers can trigger excessive resource consumption by sending compressed redirect responses that are fully decompressed without respecting read limits.
CVE-2020-26137	MEDIUM	[urllib3] before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
CVE-2024-37891	MEDIUM	[urllib3] The Proxy-Authorization header is not stripped during cross-origin redirects when set manually without using urllib3's proxy support, potentially leaking authentication credentials to malicious origins. This vulnerability requires manual header configuration, enabled redirects, and specific redirect conditions to be exploited.
CVE-2018-25091	MEDIUM	[urllib3] Authorization header is not removed when following cross-origin redirects, potentially exposing credentials to unintended hosts or transmitting them in cleartext.
CVE-2019-11236	MEDIUM	[urllib3] In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVE-2025-50181	MEDIUM	[urllib3] A vulnerability allows disabling redirects for all requests through improper PoolManager instantiation with retries configuration, potentially bypassing SSRF and open redirect mitigations. Applications relying on disabled redirects to prevent these vulnerabilities remain exposed to attacks.
CVE-2023-45803	MEDIUM	[urllib3] HTTP redirect responses (301, 302, 303) fail to remove request bodies when changing POST to GET, potentially leaking sensitive data to malicious redirect destinations. This information disclosure vulnerability requires a compromised trusted service to exploit.
CVE-2018-18074	HIGH	[requests] The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
CVE-2024-35195	MEDIUM	[requests] A vulnerability allows certificate verification to be permanently disabled for a host after the first request with verify=False, causing all subsequent requests to ignore certificate verification regardless of parameter changes, enabling man-in-the-middle attacks.
CVE-2014-1829	MEDIUM	[requests] (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.
CVE-2024-47081	MEDIUM	[requests] A URL parsing vulnerability allows maliciously-crafted URLs to leak .netrc credentials to third parties. This could enable credential theft and unauthorized access to authenticated services.

🔗 Related Tasks

• https://humansecurity.atlassian.net/browse/AIKIDO-460
• https://humansecurity.atlassian.net/browse/AIKIDO-1260
• https://humansecurity.atlassian.net/browse/AIKIDO-347
• https://humansecurity.atlassian.net/browse/AIKIDO-1164