Skip to content

Request smuggling due to incorrect parsing of chunked trailer section

Low
Dreamsorcerer published GHSA-9548-qrrj-x5pj Jul 14, 2025

Package

pip aiohttp (pip)

Affected versions

<=3.12.13

Patched versions

3.12.14

Description

Summary

The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: e8d774f

Severity

Low

CVE ID

CVE-2025-53643

Weaknesses

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. Learn more on MITRE.

Credits