CVE-2025-58068
CRITICALeventlet < 0.40.3 - HTTP Request Smuggling via WSGI Trailer Handling
Title source: llmDescription
Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. This problem has been patched in Eventlet 0.40.3 by dropping trailers which is a breaking change if a backend behind eventlet.wsgi proxy requires trailers. A workaround involves not using eventlet.wsgi facing untrusted clients.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7
Issue Tracking x_refsource_misc
https://github.com/eventlet/eventlet/pull/1062
Scores
CVSS v3
9.1
EPSS
0.0036
EPSS Percentile
28.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-444
Status
published
Products (2)
eventlet/eventlet
< 0.40.3
pypi/eventlet
0 - 0.40.3PyPI
Published
Aug 29, 2025
Tracked Since
Feb 18, 2026