CVE-2025-43859: 
Python vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-43859) was discovered in h11, a Python implementation of HTTP/1.1, affecting versions prior to 0.16.0. The vulnerability stems from a leniency in h11's parsing of line terminators in chunked-coding message bodies, which can lead to request smuggling vulnerabilities under specific conditions. The issue was disclosed on April 24, 2025, and received a CVSS v3.1 base score of 9.1 (Critical) (GitHub Advisory, NVD).

The vulnerability arises from h11's incorrect handling of HTTP/1.1 Chunked-Encoding bodies. In versions up to 0.14.0, h11 accepted any two bytes as chunk terminators instead of properly validating the required \r\n sequence. While this leniency alone isn't immediately dangerous, when combined with a proxy that misinterprets chunked encoding, it creates conditions for request smuggling attacks. The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) and received a CVSS score of 9.1, indicating critical severity with network attack vector, low complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability can enable attackers to perform request smuggling attacks when h11 is used with a misconfigured or buggy HTTP proxy. In severe cases, this could lead to credential theft, access control bypass, and the ability for one user to steal another's credentials. The impact is particularly significant in environments where proxies are used to restrict access to protected endpoints (SecurityOnline).

The vulnerability has been patched in h11 version 0.16.0. Since exploitation requires both a buggy h11 and a buggy proxy, fixing either component is sufficient to mitigate the issue. Developers using h11 are strongly urged to upgrade to version 0.16.0 or later (GitHub Advisory, Arch Linux).