CVE-2025-53643

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-53643

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53643.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-53643

Aliases

GHSA-9548-qrrj-x5pj

Downstream

UBUNTU-CVE-2025-53643

Published

2025-07-14T21:15:27Z

Modified

2025-07-16T10:45:42.872890Z

Summary

[none]

Details

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTPNOEXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

References

Affected packages

Debian:11 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.7.4-1

3.7.4-1+deb11u1

3.7.4-2

3.8.1-1

3.8.1-2

3.8.1-3

3.8.1-4

3.8.1-5

3.8.3-1

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

3.10.6-1

3.10.8-1

3.10.10-1

3.10.10-2

3.10.11-1

3.11.15-1

3.11.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1

3.8.4-1+deb12u1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

3.10.6-1

3.10.8-1

3.10.10-1

3.10.10-2

3.10.11-1

3.11.15-1

3.11.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-aiohttp

Package

Name: python-aiohttp
Purl: pkg:deb/debian/python-aiohttp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.4-1

3.8.5-1

3.8.6-1

3.9.1-1

3.9.5-1

3.10.0-1

3.10.1-1

3.10.3-1

3.10.3-2

3.10.3-3

3.10.4-1

3.10.5-1

3.10.6-1

3.10.8-1

3.10.10-1

3.10.10-2

3.10.11-1

3.11.15-1

3.11.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/aio-libs/aiohttp

Affected ranges

Type: GIT
Repo: https://github.com/aio-libs/aiohttp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

Affected versions

0.*

0.15.2

0.8.2

1.*

1.3.0

2.*

2.0.0

2.0.0rc1

2.0.1

2.0.2

2.0.3

2.0.3-1

2.0.4

2.0.5

2.0.6

2.0.7

4v0.*

4v0.21.6

v.*

v.0.6.5

v0.*

v0.1

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.16.6

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.19.0

v0.2

v0.20.0

v0.20.1

v0.20.2

v0.21.0

v0.21.0a0

v0.21.0a1

v0.21.0a2

v0.21.1

v0.21.2

v0.21.3

v0.21.4

v0.21.5

v0.21.6

v0.22.0

v0.22.0b0

v0.22.0b1

v0.22.0b2

v0.22.0b3

v0.22.0b4

v0.22.0b5

v0.22.0b6

v0.22.1

v0.22.2

v0.22.3

v0.22.4

v0.22.5

v0.3

v0.4

v0.4.1

v0.4.2

v0.5.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.8.0

v0.8.1

v0.8.3

v0.8.4

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.4

v1.0.5

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.2.0

v2.*

v2.1.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.3.0

v2.3.0a1

v2.3.0a2

v2.3.0a3

v2.3.0a4

v2.3.1

v2.3.10

v2.3.1a1

v2.3.2

v2.3.2b1

v2.3.2b2

v2.3.2b3

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v3.*

v3.0.0

v3.0.0b0

v3.0.0b1

v3.0.0b2

v3.0.0b3

v3.0.0b4

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.10.0

v3.10.0b0

v3.10.0b1

v3.10.0rc0

v3.10.1

v3.10.10

v3.10.11

v3.10.11rc0

v3.10.2

v3.10.3

v3.10.4

v3.10.5

v3.10.6

v3.10.6rc0

v3.10.6rc1

v3.10.6rc2

v3.10.7

v3.10.8

v3.10.9

v3.11.0

v3.11.0b0

v3.11.0b1

v3.11.0b2

v3.11.0b3

v3.11.0b4

v3.11.0b5

v3.11.0rc0

v3.11.0rc1

v3.11.0rc2

v3.11.1

v3.11.10

v3.11.11

v3.11.12

v3.11.13

v3.11.14

v3.11.15

v3.11.16

v3.11.17

v3.11.18

v3.11.2

v3.11.3

v3.11.4

v3.11.5

v3.11.6

v3.11.7

v3.11.8

v3.11.9

v3.12.0

v3.12.0b0

v3.12.0b1

v3.12.0b2

v3.12.0b3

v3.12.0rc0

v3.12.0rc1

v3.12.1

v3.12.10

v3.12.11

v3.12.12

v3.12.13

v3.12.1rc0

v3.12.2

v3.12.3

v3.12.4

v3.12.5

v3.12.6

v3.12.7

v3.12.7rc0

v3.12.8

v3.12.9

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v3.3.1b1

v3.3.2

v3.3.2a0

v3.4.0

v3.4.0a0

v3.4.0a3

v3.4.0b1

v3.4.0b2

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.5.0

v3.5.0a1

v3.5.0b1

v3.5.0b2

v3.5.0b3

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.6.0

v3.6.0a0

v3.6.0a1

v3.6.0a10

v3.6.0a11

v3.6.0a12

v3.6.0a2

v3.6.0a3

v3.6.0a4

v3.6.0a5

v3.6.0a6

v3.6.0a7

v3.6.0a8

v3.6.0a9

v3.6.0b0

v3.6.1

v3.6.1b3

v3.6.1b4

v3.6.2

v3.6.2a1

v3.6.2a2

v3.7.0

v3.7.0b0

v3.7.0b1

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.4.post0

v3.8.0

v3.8.1

v3.8.2

v3.8.2a0

v3.8.3

v3.9.0

v3.9.0b0

v3.9.0b1

v3.9.0rc0

v3.9.1

v3.9.2

v3.9.3

v3.9.4

v3.9.5