LOW

GHSA-9548-qrrj-x5pj

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections

Details

### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

----

Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aiohttp

Introduced in: 0 Fixed in: 3.12.14

Fix pip install --upgrade 'aiohttp>=3.12.14'

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-53643 [ADVISORY]
https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a [WEB]
https://github.com/aio-libs/aiohttp [PACKAGE]