diff --git a/pyproject.toml b/pyproject.toml
index e9b0d16e..cf2f04e7 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -48,7 +48,9 @@ flask = [
     "flask >=3.0.0, <4.0.0",
 ]
 dev = [
-    "pytest >=7.4.0",
+    # pytest 9 requires Python >=3.10; pytest 9.0.3 fixes CVE-2025-71176
+    "pytest >=9.0.3; python_version >= '3.10'",
+    "pytest >=7.4.0,<9; python_version < '3.10'",
     "pytest-cov >=4.1.0",
     "pytest-django >=4.5.2",
     "mypy >=1.5.0",
@@ -82,7 +84,11 @@ zip-safe = false
 "kinde_flask" = ["**/*.py", "**/*.json", "**/*.yaml", "**/*.yml"]
 
 [tool.poetry.dev-dependencies]
-pytest = "^7.4.0"
+# pytest 9 requires Python >=3.10; pytest 9.0.3 fixes CVE-2025-71176
+pytest = [
+    {version = ">=7.4.0,<9", python = "~3.9"},
+    {version = "^9.0.3", python = ">=3.10"}
+]
 pytest-cov = "^7.0.0"
 coverage = ">=7.10.6"
 pytest-django = "^4.5.2"
@@ -95,4 +101,3 @@ pytest-timeout = "^2.2.0"
 black = "^26.0.0"
 flake8 = "^7.0.0"
 isort = "^8.0.0"
-
diff --git a/requirements.txt b/requirements.txt
index 1a722229..9fff2388 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -21,7 +21,10 @@ certifi>=2026.1.4
 pydantic>=2.0.0,<3.0.0
 
 # Development dependencies
-pytest>=7.4.0
+# pytest 9 requires Python >=3.10; keep <9 for Python 3.9 (pytest 9 dropped 3.9 support)
+# CVE-2025-71176 is fixed in 9.0.3 (only available for Python >=3.10)
+pytest>=9.0.3; python_version >= "3.10"
+pytest>=7.4.0,<9; python_version < "3.10"
 pytest-django>=4.5.2
 pytest-asyncio>=0.21.1
 pytest-cov>=7.0.0