Bug 2380000 (CVE-2025-53643) - CVE-2025-53643 aiohttp: AIOHTTP HTTP Request/Response Smuggling
Summary: CVE-2025-53643 aiohttp: AIOHTTP HTTP Request/Response Smuggling
Keywords:
Status: NEW
Alias: CVE-2025-53643
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2380008 2380009 2380010 2380011 2380012 2380013 2380015 2380016 2380017 2380018 2380019 2380020 2380021 2380022 2380023 2380024 2380025 2380026 2380027 2380028 2380029 2380014
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-14 21:01 UTC by OSIDB Bzimport
Modified: 2025-10-01 09:14 UTC (History)
77 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-14 21:01:20 UTC 
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
Note You need to log in before you can comment on or make changes to this bug.