Bug 2362162 (CVE-2025-43859) - CVE-2025-43859 h11: h11 accepts some malformed Chunked-Encoding bodies
Summary: CVE-2025-43859 h11: h11 accepts some malformed Chunked-Encoding bodies
Keywords:
Status: NEW
Alias: CVE-2025-43859
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2362282 2362283 2362285 2362286 2362287 2363676
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-24 19:01 UTC by OSIDB Bzimport
Modified: 2025-06-05 20:51 UTC (History)
66 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:7535 0 None None None 2025-05-14 01:02:18 UTC
Red Hat Product Errata RHSA-2025:7536 0 None None None 2025-05-14 01:03:20 UTC
Red Hat Product Errata RHSA-2025:8221 0 None None None 2025-05-27 18:15:37 UTC
Red Hat Product Errata RHSA-2025:8615 0 None None None 2025-06-05 20:51:05 UTC

Description OSIDB Bzimport 2025-04-24 19:01:12 UTC 
h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.
Comment 2 errata-xmlrpc 2025-05-14 01:02:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Services on OpenShift 18.0

Via RHSA-2025:7535 https://access.redhat.com/errata/RHSA-2025:7535
Comment 3 errata-xmlrpc 2025-05-14 01:03:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:7536 https://access.redhat.com/errata/RHSA-2025:7536
Comment 5 errata-xmlrpc 2025-05-27 18:15:31 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:8221 https://access.redhat.com/errata/RHSA-2025:8221
Comment 7 errata-xmlrpc 2025-06-05 20:51:00 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2025:8615 https://access.redhat.com/errata/RHSA-2025:8615
Note You need to log in before you can comment on or make changes to this bug.