fkie_cve-2025-43859
Vulnerability from fkie_nvd
Published
2025-04-24 19:15
Modified
2025-04-29 13:52
Severity ?
Summary
h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11\u0027s parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue."
},
{
"lang": "es",
"value": "h11 es una implementaci\u00f3n de Python de HTTP/1.1. Antes de la versi\u00f3n 0.16.0, una tolerancia en el an\u00e1lisis de terminadores de l\u00ednea por parte de h11 en cuerpos de mensajes con codificaci\u00f3n fragmentada pod\u00eda provocar vulnerabilidades de contrabando de solicitudes en ciertas circunstancias. Este problema se ha corregido en la versi\u00f3n 0.16.0. Dado que su explotaci\u00f3n requiere la combinaci\u00f3n de h11 con errores y un proxy inverso con errores, la correcci\u00f3n de cualquiera de los componentes es suficiente para mitigar este problema."
}
],
"id": "CVE-2025-43859",
"lastModified": "2025-04-29T13:52:28.490",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-24T19:15:47.060",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…