CVE-2025-53643HTTP Request Smuggling in Aiohttp

CWE-444HTTP Request Smuggling9 documents7 sources
Severity
1.7LOWNVD
EPSS
0.1%
top 75.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Aio-libs AiohttpAiohttp
Timeline
PublishedJul 14
Latest updateJan 15

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a p

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDaiohttp/aiohttp< 3.12.14
PyPIaiohttp/aiohttp< 3.12.14
CVEListV5aio-libs/aiohttp< 3.12.14

Patches

Patch: github.com

🔴Vulnerability Details

4
CVEList
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections2025-07-14
GHSA
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections2025-07-14
OSV
CVE-2025-53643: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python2025-07-14
OSV
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections2025-07-14

📋Vendor Advisories

4
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Siebel Cloud Manager (AIOHTTP) — CVE-2025-536432026-01-15
Oracle
Oracle Oracle Communications Risk Matrix: Developer Infrastructure (AIOHTTP) — CVE-2025-536432025-10-15
Red Hat
aiohttp: AIOHTTP HTTP Request/Response Smuggling2025-07-14
Debian
CVE-2025-53643: python-aiohttp - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. ...2025
CVE-2025-53643 — HTTP Request Smuggling in Aiohttp | cvebase