Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
Published: 2025-07-14
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21384 AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
Github GHSA Github GHSA GHSA-9548-qrrj-x5pj AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
History

Thu, 14 Aug 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 15 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00048}

Tue, 15 Jul 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Low

Mon, 14 Jul 2025 20:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
Title AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
Weaknesses CWE-444
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-07-15T19:50:40.717Z

Reserved: 2025-07-07T14:20:38.391Z

Link: CVE-2025-53643

cve-icon Vulnrichment

Updated: 2025-07-15T13:27:18.855Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-14T21:15:27.827

Modified: 2025-08-14T20:40:05.493

Link: CVE-2025-53643

cve-icon Redhat

Severity : Low

Publid Date: 2025-07-14T20:17:18Z

Links: CVE-2025-53643 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses