CVE-2025-53643

HIGH

AIOHTTP <3.12.14 - Request Smuggling

Title source: llm

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

References (2)

[Vendor Advisory] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj

[Patch] https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0009

EPSS Percentile 25.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-444

Status published

Products (2)

aiohttp/aiohttp < 3.12.14

pypi/aiohttp 0 - 3.12.14PyPI

Published Jul 14, 2025

Tracked Since Feb 18, 2026