Skip to main content

Python CVE-2025-53643

| EUVDEUVD-2025-21384 HIGH
HTTP Request/Response Smuggling (CWE-444)
2025-07-14 security-advisories@github.com GHSA-9548-qrrj-x5pj
High
Disputed · 7.5 NVD
Share

Severity by source

Sources disagree (Low–High)
GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
3.7 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21384
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
Patch released
Mar 16, 2026 - 09:43 nvd
Patch available
CVE Published
Jul 14, 2025 - 21:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 62 pypi packages depend on aiohttp (40 direct, 22 indirect)

Ecosystem-wide dependent count for version 3.12.14.

DescriptionGitHub Advisory

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

AnalysisAI

AIOHTTP versions prior to 3.12.14 contain a request smuggling vulnerability in the Python parser that fails to properly parse HTTP trailer sections, allowing attackers to bypass firewalls and proxy protections when the pure Python implementation is used. This vulnerability affects deployments running AIOHTTP without C extensions or with AIOHTTP_NO_EXTENSIONS enabled, enabling HTTP request smuggling attacks with high integrity impact. The vulnerability has a CVSS score of 7.5 (High) and is unauthenticated, network-accessible, and requires no user interaction.

Technical ContextAI

AIOHTTP is an asynchronous HTTP client/server framework for Python's asyncio library. The vulnerability exists in CWE-444 (Improper Handling of HTTP Request Headers), specifically the failure to properly parse and validate HTTP trailer headers defined in RFC 7230 section 4.1.2. HTTP trailers are headers sent after the message body in chunked transfer encoding. When the pure Python parser (used when C extensions are unavailable or explicitly disabled via AIOHTTP_NO_EXTENSIONS environment variable) processes requests, it does not correctly validate or reject invalid trailer sections. This allows an attacker to inject additional HTTP headers or manipulate request boundaries, enabling classic HTTP request smuggling attacks (CL.TE or TE.CL desynchronization attacks) between the aiohttp server and downstream proxies or firewalls that do parse trailers correctly. The C extension version is not vulnerable, creating a critical configuration-dependent attack surface.

RemediationAI

IMMEDIATE ACTIONS: (1) Upgrade AIOHTTP to version 3.12.14 or later: pip install --upgrade aiohttp>=3.12.14. (2) For Python-only deployments, install C extension dependencies: pip install aiohttp[speedups] to force C extension compilation, which is not vulnerable. (3) Verify C extensions are loaded at runtime: Python code should confirm aiohttp.http_parser.HttpPayloadParser uses the C version. MITIGATION for unpatched systems: (1) Set AIOHTTP_NO_EXTENSIONS=0 (or unset) and ensure C compiler toolchain is available for C extension compilation. (2) Deploy aiohttp behind a WAF/proxy that validates and rejects malformed trailers (e.g., nginx, HAProxy with trailer validation enabled). (3) Implement strict Content-Length and Transfer-Encoding validation in upstream middleware. (4) Monitor logs for suspicious trailer headers or desynchronization patterns. WORKAROUND: If upgrade is impossible, restrict aiohttp deployment to trusted internal networks only and disable chunked transfer encoding if protocol permits. Vendor patch reference: https://github.com/aio-libs/aiohttp/releases/tag/v3.12.14

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

Ubuntu

Priority: Medium
python-aiohttp
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream released 3.12.14
plucky ignored end of life, was needs-triage
questing needs-triage -

Debian

Bug #1109336
python-aiohttp
Release Status Fixed Version Urgency
bullseye vulnerable 3.7.4-1 -
bullseye (security) vulnerable 3.7.4-1+deb11u1 -
bookworm, bookworm (security) vulnerable 3.8.4-1+deb12u1 -
trixie vulnerable 3.11.16-1 -
forky, sid fixed 3.13.3-3 -
(unstable) fixed 3.12.15-1 -

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.6 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
Image SLES15-SP4-BYOS-Azure Image SLES15-SP4-HPC-BYOS-Azure Image SLES15-SP4-Hardened-BYOS-Azure Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-BYOS-Azure Image SLES15-SP4-SAP-Hardened-Azure Image SLES15-SP4-SAP-Hardened-BYOS-Azure Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP5-Azure-3P Image SLES15-SP5-Azure-Basic Image SLES15-SP5-Azure-Standard Image SLES15-SP5-BYOS-Azure Image SLES15-SP5-HPC-Azure Image SLES15-SP5-HPC-BYOS-Azure Image SLES15-SP5-Hardened-BYOS-Azure Image SLES15-SP5-SAP-Azure-3P Image SLES15-SP5-SAP-BYOS-Azure Image SLES15-SP5-SAP-Hardened-Azure Image SLES15-SP5-SAP-Hardened-BYOS-Azure Image SLES15-SP5-SAPCAL-Azure Image SLES15-SP6 Image SLES15-SP6-Azure-3P Image SLES15-SP6-Azure-Basic Image SLES15-SP6-Azure-Standard Image SLES15-SP6-BYOS-Azure Image SLES15-SP6-HPC Image SLES15-SP6-HPC-Azure Image SLES15-SP6-HPC-BYOS-Azure Image SLES15-SP6-Hardened-BYOS-Azure Image SLES15-SP6-SAP-Azure Image SLES15-SP6-SAP-Azure-3P Image SLES15-SP6-SAP-BYOS-Azure Image SLES15-SP6-SAP-Hardened-Azure Image SLES15-SP6-SAP-Hardened-BYOS-Azure Image SLES15-SP6-SAPCAL-Azure Image SLES15-SP7-Azure-3P Image SLES15-SP7-Azure-Basic Image SLES15-SP7-Azure-Standard Image SLES15-SP7-BYOS-Azure Image SLES15-SP7-HPC-Azure Image SLES15-SP7-HPC-BYOS-Azure Image SLES15-SP7-Hardened-BYOS-Azure Image SLES15-SP7-SAP-Azure Image SLES15-SP7-SAP-Azure-3P Image SLES15-SP7-SAP-BYOS-Azure Image SLES15-SP7-SAP-Hardened-Azure Image SLES15-SP7-SAP-Hardened-BYOS-Azure Image SLES15-SP7-SAPCAL-Azure Affected
SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Module for Public Cloud 15 SP3 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2 Fixed
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Module for Python 3 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed

Share

CVE-2025-53643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy