CVE-2025-53643: 
Wolfi vulnerability analysis and mitigation

AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, was found to contain a request smuggling vulnerability (CVE-2025-53643) prior to version 3.12.14. The vulnerability was discovered and disclosed on July 14, 2025, affecting all versions up to and including 3.12.13 (GitHub Advisory).

The vulnerability stems from the Python parser's inability to properly parse trailer sections of an HTTP request. This issue specifically affects installations where either a pure Python version of aiohttp is installed without the usual C extensions, or when AIOHTTPNOEXTENSIONS is enabled. The vulnerability has been assigned a CVSS v4.0 score of 1.7 (Low) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U. The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) (NVD).

The vulnerability could allow attackers to execute request smuggling attacks, potentially bypassing certain firewalls or proxy protections. This primarily affects systems using the pure Python implementation of aiohttp or those with AIOHTTPNOEXTENSIONS enabled (GitHub Advisory).

The vulnerability has been patched in version 3.12.14 of aiohttp. Users are advised to upgrade to this version to address the security issue. The fix was implemented through commit e8d774f, which added initial trailer parsing logic to the Python HTTP parser (GitHub Commit).