CVE-2025-43859: h11 accepts some malformed Chunked-Encoding bodies

9.1 CVSS

Description

h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.

Classification

CVE ID: CVE-2025-43859

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem Types

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected Products

Vendor: python-hyper

Product: h11

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.88% (scored less or equal to compared to others)

EPSS Date: 2025-05-23 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-43859
https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
https://github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed

Timeline

2025-04-24 19:40:18 UTC
CVE

h11 accepts some malformed Chunked-Encoding bodies