CVE-2025-58068HTTP Request Smuggling in Eventlet

CWE-444HTTP Request Smuggling7 documents6 sources
Severity
6.3MEDIUMNVD
EPSS
0.1%
top 81.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
EventletDebian Python-eventlet
Timeline
PublishedAug 29
Latest updateSep 24

Description

Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. This problem has been patched in Eventlet 0.40.3 by dropping trailers which is a breaking change if a backend behind eventlet.wsgi proxy requires t

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

debiandebian/python-eventlet< python-eventlet 0.26.1-7+deb11u2 (bullseye)
NVDeventlet/eventlet< 0.40.3
PyPIeventlet/eventlet< 0.40.3

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2025-58068: Eventlet is a concurrent networking library for Python2025-08-29
OSV
Eventlet affected by HTTP request smuggling in unparsed trailers2025-08-29
GHSA
Eventlet affected by HTTP request smuggling in unparsed trailers2025-08-29

📋Vendor Advisories

3
Ubuntu
Eventlet vulnerability2025-09-24
Red Hat
python-eventlet: Eventlet HTTP request smuggling2025-08-29
Debian
CVE-2025-58068: python-eventlet - Eventlet is a concurrent networking library for Python. Prior to version 0.40.3,...2025
CVE-2025-58068 — HTTP Request Smuggling in Eventlet | cvebase