CVE-2025-53643

EUVD-2025-21384
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
HTTP Request/Response Smuggling
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
Affected Products (NVD)
VendorProductVersion
aiohttpaiohttp
𝑥
< 3.12.14
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
3.7.4-1+deb11u2
fixed
forky
3.13.5-1
fixed
sid
3.13.5-1
fixed
trixie
no-dsa
trixie (security)
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-aiohttp
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
resolute
needs-triage
xenial
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
python3-aiohttp
suse enterprise sap 15 SP4
3.6.0-150100.3.27.1
fixed
suse enterprise server 15 SP4
3.6.0-150100.3.27.1
fixed
python311-aiohttp
suse enterprise sap 15 SP4
3.9.3-150400.10.33.1
fixed
suse enterprise server 15 SP4
3.9.3-150400.10.33.1
fixed
Common Weakness Enumeration
References
https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj