Package: python-aiohttp X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for python-aiohttp. CVE-2025-53643[0]: | AIOHTTP is an asynchronous HTTP client/server framework for asyncio | and Python. Prior to version 3.12.14, the Python parser is | vulnerable to a request smuggling vulnerability due to not parsing | trailer sections of an HTTP request. If a pure Python version of | aiohttp is installed (i.e. without the usual C extensions) or | AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to | execute a request smuggling attack to bypass certain firewalls or | proxy protections. Version 3.12.14 contains a patch for this issue. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a (v3.12.14) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53643 https://www.cve.org/CVERecord?id=CVE-2025-53643 Please adjust the affected versions in the BTS as needed.
