CVE-2025-58068

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-58068
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58068.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-58068
Aliases
Downstream
Withdrawn
2025-09-03T15:57:45.194825Z
Published
2025-08-29T22:15:32Z
Modified
2025-09-03T12:54:39.210566Z
Summary
[none]
Details

Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. This problem has been patched in Eventlet 0.40.3 by dropping trailers which is a breaking change if a backend behind eventlet.wsgi proxy requires trailers. A workaround involves not using eventlet.wsgi facing untrusted clients.

References

Affected packages

Debian:11 / python-eventlet

Package

Name
python-eventlet
Purl
pkg:deb/debian/python-eventlet?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.26.1-7+deb11u2

Affected versions

0.*

0.26.1-7
0.26.1-7+deb11u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / python-eventlet

Package

Name
python-eventlet
Purl
pkg:deb/debian/python-eventlet?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.33.1-4
0.33.3-1
0.33.3-2
0.33.3-2.1
0.33.3-3
0.35.1-1
0.35.1-2
0.35.1-3
0.36.1-1
0.36.1-2
0.36.1-3
0.36.1-4
0.36.1-5
0.36.1-6
0.36.1-7
0.36.1-8
0.36.1-9
0.36.1-10
0.36.1-11
0.36.1-12
0.39.1-1
0.39.1-2
0.40.1-1
0.40.1-2
0.40.1-3
0.40.2-1
0.40.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / python-eventlet

Package

Name
python-eventlet
Purl
pkg:deb/debian/python-eventlet?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.39.1-2
0.40.1-1
0.40.1-2
0.40.1-3
0.40.2-1
0.40.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / python-eventlet

Package

Name
python-eventlet
Purl
pkg:deb/debian/python-eventlet?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.40.1-3

Affected versions

0.*

0.39.1-2
0.40.1-1
0.40.1-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/eventlet/eventlet

Affected ranges

Type
GIT
Repo
https://github.com/eventlet/eventlet
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0bfebd1117d392559e25b4bfbfcc941754de88fb

Affected versions

0.*

0.36.0
0.36.1
0.37.0
0.38.0
0.38.1
0.38.2
0.39.1
0.40.0
0.40.1
0.40.2

v0.*

v0.10
v0.11
v0.12
v0.13
v0.14
v0.15
v0.15.1
v0.15.2
v0.16
v0.16.1
v0.17
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.18.2
v0.18.4
v0.19.0
v0.20.0
v0.20.1
v0.21.0
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.26.0
v0.26.1
v0.27.0
v0.28.0
v0.28.1
v0.29.0
v0.29.1
v0.30.0
v0.30.1
v0.30.2
v0.30.3
v0.31.0
v0.31.1
v0.32.0
v0.33.0
v0.33.1
v0.33.2
v0.33.3
v0.34.0
v0.34.1
v0.34.2
v0.34.3
v0.35.0
v0.35.1
v0.35.2
v0.9.16
v0.9.17