CVE-2025-53643

| EUVD-2025-21384 HIGH
2025-07-14 [email protected] GHSA-9548-qrrj-x5pj
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21384
Patch Released
Mar 16, 2026 - 09:43 nvd
Patch available
CVE Published
Jul 14, 2025 - 21:15 nvd
HIGH 7.5

Tags

Python Authentication Bypass Aiohttp Redhat Suse

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Analysis

AIOHTTP versions prior to 3.12.14 contain a request smuggling vulnerability in the Python parser that fails to properly parse HTTP trailer sections, allowing attackers to bypass firewalls and proxy protections when the pure Python implementation is used. This vulnerability affects deployments running AIOHTTP without C extensions or with AIOHTTP_NO_EXTENSIONS enabled, enabling HTTP request smuggling attacks with high integrity impact. The vulnerability has a CVSS score of 7.5 (High) and is unauthenticated, network-accessible, and requires no user interaction.

Technical Context

AIOHTTP is an asynchronous HTTP client/server framework for Python's asyncio library. The vulnerability exists in CWE-444 (Improper Handling of HTTP Request Headers), specifically the failure to properly parse and validate HTTP trailer headers defined in RFC 7230 section 4.1.2. HTTP trailers are headers sent after the message body in chunked transfer encoding. When the pure Python parser (used when C extensions are unavailable or explicitly disabled via AIOHTTP_NO_EXTENSIONS environment variable) processes requests, it does not correctly validate or reject invalid trailer sections. This allows an attacker to inject additional HTTP headers or manipulate request boundaries, enabling classic HTTP request smuggling attacks (CL.TE or TE.CL desynchronization attacks) between the aiohttp server and downstream proxies or firewalls that do parse trailers correctly. The C extension version is not vulnerable, creating a critical configuration-dependent attack surface.

Affected Products

AIOHTTP versions 3.12.13 and earlier are vulnerable. Affected configurations include: (1) aiohttp <=3.12.13 with pure Python implementation enabled (default on systems without C compiler or build tools); (2) aiohttp <=3.12.13 with AIOHTTP_NO_EXTENSIONS=1 environment variable set; (3) Containerized deployments using minimal base images (Alpine, distroless) without Python development headers. The vulnerability does NOT affect: aiohttp with C extensions compiled and loaded (default on most production systems with dev tools). Patched version: aiohttp >= 3.12.14. CPE string (estimated based on standard convention): cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:python:*:* with version constraint <3.12.14. Users should reference the official AIOHTTP GitHub repository (https://github.com/aio-libs/aiohttp) and PyPI security advisories for vendor guidance.

Remediation

IMMEDIATE ACTIONS: (1) Upgrade AIOHTTP to version 3.12.14 or later: `pip install --upgrade aiohttp>=3.12.14`. (2) For Python-only deployments, install C extension dependencies: `pip install aiohttp[speedups]` to force C extension compilation, which is not vulnerable. (3) Verify C extensions are loaded at runtime: Python code should confirm `aiohttp.http_parser.HttpPayloadParser` uses the C version. MITIGATION for unpatched systems: (1) Set AIOHTTP_NO_EXTENSIONS=0 (or unset) and ensure C compiler toolchain is available for C extension compilation. (2) Deploy aiohttp behind a WAF/proxy that validates and rejects malformed trailers (e.g., nginx, HAProxy with trailer validation enabled). (3) Implement strict Content-Length and Transfer-Encoding validation in upstream middleware. (4) Monitor logs for suspicious trailer headers or desynchronization patterns. WORKAROUND: If upgrade is impossible, restrict aiohttp deployment to trusted internal networks only and disable chunked transfer encoding if protocol permits. Vendor patch reference: https://github.com/aio-libs/aiohttp/releases/tag/v3.12.14

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
python-aiohttp
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream released 3.12.14
plucky ignored end of life, was needs-triage
questing needs-triage -

Debian

Bug #1109336
python-aiohttp
Release Status Fixed Version Urgency
bullseye vulnerable 3.7.4-1 -
bullseye (security) vulnerable 3.7.4-1+deb11u1 -
bookworm, bookworm (security) vulnerable 3.8.4-1+deb12u1 -
trixie vulnerable 3.11.16-1 -
forky, sid fixed 3.13.3-3 -
(unstable) fixed 3.12.15-1 -

Share

CVE-2025-53643 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy