diff --git a/bioimageio/spec/_internal/docs_utils.py b/bioimageio/spec/_internal/docs_utils.py
index 96298eb36..aa612005b 100644
--- a/bioimageio/spec/_internal/docs_utils.py
+++ b/bioimageio/spec/_internal/docs_utils.py
@@ -35,7 +35,7 @@ def get_ref_url(
         "github.com", "raw.githubusercontent.com"
     ).replace("/blob/", "/")
     try:
-        code = requests.get(raw_github_file_url).text
+        code = requests.get(raw_github_file_url, timeout=5).text
     except requests.RequestException as e:
         warnings.warn(
             f"Could not resolve {github_file_url} due to {e}. Please check your"
diff --git a/bioimageio/spec/_internal/field_validation.py b/bioimageio/spec/_internal/field_validation.py
index b0298da90..fa90609b7 100644
--- a/bioimageio/spec/_internal/field_validation.py
+++ b/bioimageio/spec/_internal/field_validation.py
@@ -73,17 +73,27 @@ def validate_gh_user(username: str, hotfix_known_errorenous_names: bool = True)
     if username.lower() in KNOWN_INVALID_GH_USERS:
         raise ValueError(f"Known invalid GitHub user '{username}'")
 
-    r = requests.get(
-        f"https://api.github.com/users/{username}", auth=settings.github_auth
-    )
-    if r.status_code == 403 and r.reason == "rate limit exceeded":
+    try:
+        r = requests.get(
+            f"https://api.github.com/users/{username}",
+            auth=settings.github_auth,
+            timeout=3,
+        )
+    except requests.exceptions.Timeout:
         issue_warning(
-            "Could not verify GitHub user '{value}' due to GitHub API rate limit",
+            "Could not verify GitHub user '{value}' due to connection timeout",
             value=username,
         )
-    elif r.status_code != 200:
-        KNOWN_INVALID_GH_USERS.add(username.lower())
-        raise ValueError(f"Could not find GitHub user '{username}'")
+    else:
+        if r.status_code == 403 and r.reason == "rate limit exceeded":
+            issue_warning(
+                "Could not verify GitHub user '{value}' due to GitHub API rate limit",
+                value=username,
+            )
+        elif r.status_code != 200:
+            KNOWN_INVALID_GH_USERS.add(username.lower())
+            raise ValueError(f"Could not find GitHub user '{username}'")
+
+        KNOWN_GH_USERS.add(username.lower())
 
-    KNOWN_GH_USERS.add(username.lower())
     return username
diff --git a/bioimageio/spec/_internal/io_utils.py b/bioimageio/spec/_internal/io_utils.py
index 0b1faac95..a43c505e7 100644
--- a/bioimageio/spec/_internal/io_utils.py
+++ b/bioimageio/spec/_internal/io_utils.py
@@ -149,7 +149,9 @@ def _get_one_collection(url: str):
     if not isinstance(url, str) or "/" not in url:
         logger.error("invalid collection url: {}", url)
     try:
-        collection: List[Dict[Any, Any]] = requests.get(url).json().get("collection")
+        collection: List[Dict[Any, Any]] = (
+            requests.get(url, timeout=5).json().get("collection")
+        )
     except Exception as e:
         logger.error("failed to get {}: {}", url, e)
         return ret
diff --git a/bioimageio/spec/_internal/url.py b/bioimageio/spec/_internal/url.py
index 557c31913..4705d306f 100644
--- a/bioimageio/spec/_internal/url.py
+++ b/bioimageio/spec/_internal/url.py
@@ -33,7 +33,7 @@ def _validate_url(url: Union[str, pydantic.HttpUrl]) -> pydantic.AnyUrl:
         )
 
     try:
-        response = requests.get(val_url, stream=True, timeout=(3, 3))
+        response = requests.get(val_url, stream=True, timeout=3)
     except (
         requests.exceptions.ChunkedEncodingError,
         requests.exceptions.ContentDecodingError,
diff --git a/bioimageio/spec/partner_utils/imjoy/_plugin_parser.py b/bioimageio/spec/partner_utils/imjoy/_plugin_parser.py
index 46bbd747a..15bc1aeca 100644
--- a/bioimageio/spec/partner_utils/imjoy/_plugin_parser.py
+++ b/bioimageio/spec/partner_utils/imjoy/_plugin_parser.py
@@ -179,7 +179,7 @@ def convert_config_to_rdf(plugin_config, source_url=None) -> dict:
 
 def get_plugin_as_rdf(source_url: str) -> Dict[Any, Any]:
     """Get imjoy plugin config in RDF format."""
-    req = requests.get(source_url)
+    req = requests.get(source_url, timeout=5)
     source = req.text
     plugin_config = parse_imjoy_plugin(source)
     rdf = convert_config_to_rdf(plugin_config, source_url)
diff --git a/scripts/update_spdx_licenses_zenodo.py b/scripts/update_spdx_licenses_zenodo.py
index d8613927f..3a5dd0f10 100644
--- a/scripts/update_spdx_licenses_zenodo.py
+++ b/scripts/update_spdx_licenses_zenodo.py
@@ -32,7 +32,7 @@ def main(recheck: bool = False):
                 "https://zenodo.org/api/vocabularies/licenses/"
                 + lic["licenseId"].lower()
             )
-            r = requests.get(url)
+            r = requests.get(url, timeout=5)
 
             if 200 <= r.status_code < 300:
                 known = True