Bug 2380000 (CVE-2025-53643)

Summary: CVE-2025-53643 aiohttp: AIOHTTP HTTP Request/Response Smuggling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: achadha, alinfoot, anpicker, anthomas, bbrownin, bbutterfield, bdettelb, bparees, caswilli, dfreiber, doconnor, dranck, drow, dtrifiro, ehelms, ggainey, haoli, hasun, hkataria, jajackso, jalviso, jburrell, jcammara, jdobes, jfula, jkoehler, jmitchel, jneedle, jowilson, jsamir, juwatts, jwendell, jwong, kaycoth, kegrant, koliveir, kshier, lbrazdil, lphiri, mabashia, mhulan, mkalyat, mminar, mwringe, nmoumoul, nyancey, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pbraun, pcreech, ptisnovs, rbiba, rbryant, rcernich, rchan, sdoran, shvarugh, simaishi, smallamp, smcdonal, sskracic, stcannon, sthirugn, syedriko, teagle, tfister, thavo, tmalecek, tpfromme, ttakamiy, vkumar, weaton, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A request smuggling flaw was found in the aiohttp python library. If a pure Python version of aiohttp is installed, without the usual C extensions, for example, or if AIOHTTP_NO_EXTENSIONS is enabled, an attacker can execute a request smuggling attack to bypass certain firewalls or proxy protections.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2380009, 2380010, 2380011, 2380012, 2380013, 2380008, 2380014, 2380015, 2380016, 2380017, 2380018, 2380019, 2380020, 2380021, 2380022, 2380023, 2380024, 2380025, 2380026, 2380027, 2380028, 2380029    
Bug Blocks:    

Description OSIDB Bzimport 2025-07-14 21:01:20 UTC
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Comment 4 errata-xmlrpc 2026-01-26 19:36:00 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:1249 https://access.redhat.com/errata/RHSA-2026:1249

Comment 5 errata-xmlrpc 2026-01-28 17:22:57 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:1506 https://access.redhat.com/errata/RHSA-2026:1506

Comment 6 errata-xmlrpc 2026-02-16 16:48:16 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.18 for RHEL 9

Via RHSA-2026:2760 https://access.redhat.com/errata/RHSA-2026:2760