CVE-2025-53643: 
Aiohttp vulnerability analysis and mitigation

AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, was found to contain a request smuggling vulnerability (CVE-2025-53643) prior to version 3.12.14. The vulnerability was discovered and reported by JeppW, and was disclosed on July 14, 2025. The issue specifically affects installations using the pure Python version of aiohttp or when AIOHTTPNOEXTENSIONS is enabled (GitHub Advisory).

The vulnerability stems from incorrect parsing of trailer sections in HTTP requests. The issue exists in the Python parser implementation of the framework, which fails to properly handle trailer sections of an HTTP request. The vulnerability has been assigned a CVSS v4.0 score of 1.7 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U. The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) (NVD).

The vulnerability could allow attackers to perform request smuggling attacks, potentially bypassing certain firewalls or proxy protections. The impact is specifically limited to installations using the pure Python version of aiohttp or when AIOHTTPNOEXTENSIONS is enabled (GitHub Advisory).

The vulnerability has been patched in version 3.12.14 of aiohttp. Users are advised to upgrade to this version to address the security issue. The fix was implemented through commit e8d774f which adds trailer parsing logic to the Python HTTP parser (GitHub Commit).