CVE-2025-53643
BaseFortify
Publication date: 2025-07-14
Last updated on: 2025-08-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.12.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in AIOHTTP occurs because the Python parser does not properly parse the trailer sections of an HTTP request. When the pure Python version of aiohttp is used or when AIOHTTP_NO_EXTENSIONS is enabled, an attacker can exploit this flaw to perform a request smuggling attack. This means the attacker can craft HTTP requests that bypass certain firewalls or proxy protections by smuggling malicious requests through the server.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to bypass firewall or proxy protections by smuggling malicious HTTP requests. This could lead to unauthorized access, manipulation of requests, or other security breaches depending on the environment where AIOHTTP is used.
What immediate steps should I take to mitigate this vulnerability?
Upgrade aiohttp to version 3.12.14 or later, which contains a patch for this request smuggling vulnerability. Additionally, avoid using the pure Python version of aiohttp without C extensions or disabling extensions via AIOHTTP_NO_EXTENSIONS, as these configurations are vulnerable.