Bug 2380000 (CVE-2025-53643) - CVE-2025-53643 aiohttp: AIOHTTP HTTP Request/Response Smuggling
Summary: CVE-2025-53643 aiohttp: AIOHTTP HTTP Request/Response Smuggling
Keywords:
Status: NEW
Alias: CVE-2025-53643
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2380009 2380010 2380011 2380012 2380013 2380022 2380023 2380024 2380025 2380026 2380027 2380028 2380029 2380008 2380014 2380015 2380016 2380017 2380018 2380019 2380020 2380021
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-14 21:01 UTC by OSIDB Bzimport
Modified: 2026-01-26 19:36 UTC (History)
78 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:1249 0 None None None 2026-01-26 19:36:07 UTC

Description OSIDB Bzimport 2025-07-14 21:01:20 UTC 
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
Comment 4 errata-xmlrpc 2026-01-26 19:36:00 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:1249 https://access.redhat.com/errata/RHSA-2026:1249
Note You need to log in before you can comment on or make changes to this bug.