CVE-2025-53643

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a	Patch
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*

History

14 Aug 2025, 20:40

Type	Values Removed	Values Added
First Time		Aiohttp aiohttp Aiohttp
CPE		cpe:2.3:a:aiohttp:aiohttp::::::::
References	~~() https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a -~~	() https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a - Patch
References	~~() https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj -~~	() https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

15 Jul 2025, 13:14

Type	Values Removed	Values Added
Summary		(es) AIOHTTP es un framework cliente/servidor HTTP asíncrono para asyncio y Python. En versiones anteriores a la 3.12.14, el analizador de Python era vulnerable a una vulnerabilidad de contrabando de solicitudes debido a que no analizaba las secciones finales de una solicitud HTTP. Si se instala una versión de aiohttp pura en Python (es decir, sin las extensiones habituales de C) o se habilita AIOHTTP_NO_EXTENSIONS, un atacante podría ejecutar un ataque de contrabando de solicitudes para eludir ciertas protecciones de firewall o proxy. La versión 3.12.14 incluye un parche para este problema.

14 Jul 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-14 21:15

Updated : 2025-08-14 20:40

NVD link : CVE-2025-53643

Mitre link : CVE-2025-53643

CVE.ORG link : CVE-2025-53643

JSON object : View

Products Affected

aiohttp

aiohttp

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

7.5 /10