CVE-2025-43859

h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.

References

Affected packages

Debian:12 / python-h11

Package

Name: python-h11
Purl: pkg:deb/debian/python-h11?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.14.0-1.1~deb12u1

Affected versions

0.*

0.14.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-h11

Package

Name: python-h11
Purl: pkg:deb/debian/python-h11?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.14.0-1.1

Affected versions

0.*

0.14.0-1

0.14.0-1.1~deb12u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/python-hyper/h11

Affected ranges

Type: GIT
Repo: https://github.com/python-hyper/h11
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

114803a29ce50116dc47951c690ad4892b1a36ed

Affected versions

v0.*

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.9.0