CVE-2025-43859

CRITICAL EPSS 40.4%

Published Apr 24, 20251y ago · Modified Jun 17, 20261w ago

9.1 CVSS 3.1

Critical

Published Apr 24, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.

CVSS Details

Base Score

9.1

Exploitability

3.9

Impact

5.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

40.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-444

References 2

github.com https://github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed
github.com https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.