2380000 – (CVE-2025-53643) CVE-2025-53643 aiohttp: AIOHTTP HTTP Request/Response Smuggling

Bug 2380000 (CVE-2025-53643) - CVE-2025-53643 aiohttp: AIOHTTP HTTP Request/Response Smuggling

Summary: CVE-2025-53643 aiohttp: AIOHTTP HTTP Request/Response Smuggling

Keywords:
Status:	NEW
Alias:	CVE-2025-53643
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2380009 2380010 2380011 2380012 2380013 2380022 2380026 2380027 2380028 2380029 2380008 2380014 2380015 2380016 2380017 2380018 2380019 2380020 2380021 2380023 2380024 2380025
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-14 21:01 UTC by OSIDB Bzimport
Modified:	2026-02-16 16:48 UTC (History)
CC List:	79 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:1249	None	None	None	2026-01-26 19:36:07 UTC
Red Hat Product Errata	RHSA-2026:1506	None	None	None	2026-01-28 17:23:04 UTC
Red Hat Product Errata	RHSA-2026:2760	None	None	None	2026-02-16 16:48:22 UTC

Description OSIDB Bzimport 2025-07-14 21:01:20 UTC

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Comment 4 errata-xmlrpc 2026-01-26 19:36:00 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:1249 https://access.redhat.com/errata/RHSA-2026:1249

Comment 5 errata-xmlrpc 2026-01-28 17:22:57 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:1506 https://access.redhat.com/errata/RHSA-2026:1506

Comment 6 errata-xmlrpc 2026-02-16 16:48:16 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.18 for RHEL 9

Via RHSA-2026:2760 https://access.redhat.com/errata/RHSA-2026:2760

Note You need to log in before you can comment on or make changes to this bug.

achadha
adudiak
alinfoot
anpicker
anthomas
bbrownin
bbutterfield
bdettelb
bparees
caswilli
dfreiber
doconnor
dranck
drow
dtrifiro
ehelms
ggainey
haoli
hasun
hkataria
jajackso
jalviso
jburrell
jcammara
jdobes
jfula
jkoehler
jmitchel
jneedle
jowilson
jsamir
juwatts
jwendell
jwong
kaycoth
kegrant
koliveir
kshier
lbrazdil
lphiri
mabashia
mhulan
mkalyat
mminar
mwringe
nmoumoul
nyancey
omaciel
ometelka
orabin
osousa
pakotvan
pbohmill
pbraun
pcreech
ptisnovs
rbiba
rbryant
rcernich
rchan
sdoran
shvarugh
simaishi
smallamp
smcdonal
sskracic
stcannon
sthirugn
syedriko
teagle
tfister
thavo
tmalecek
tpfromme
ttakamiy
vkumar
weaton
xdharmai
yguenane