CVE-2025-53643

NameCVE-2025-53643
DescriptionAIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109336

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-aiohttp (PTS)bullseye3.7.4-1vulnerable
bullseye (security)3.7.4-1+deb11u1vulnerable
bookworm, bookworm (security)3.8.4-1+deb12u1vulnerable
forky, sid, trixie3.11.16-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-aiohttpsource(unstable)(unfixed)1109336

Notes

[trixie] - python-aiohttp <no-dsa> (Minor issue)
[bookworm] - python-aiohttp <no-dsa> (Minor issue)
[bullseye] - python-aiohttp <postponed> (Minor issue; request smuggling)
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj
https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a (v3.12.14)
Search for package or bug name: Reporting problems