CVE-2025-58068 – eventlet

Package

Manager: pip
Name: eventlet
Vulnerable Version: >=0 <0.40.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00052 pctl0.1601

Details

Eventlet affected by HTTP request smuggling in unparsed trailers ### Impact The Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to: - Bypass front-end security controls - Launch targeted attacks against active site users - Poison web caches ### Patches Problem has been patched in eventlet 0.40.3. The patch just drops trailers. If a backend behind eventlet.wsgi proxy requires trailers, then this patch BREAKS your setup. ### Workarounds Do not use eventlet.wsgi facing untrusted clients. ### References - Patch https://github.com/eventlet/eventlet/pull/1062 - This issue is similar to https://github.com/advisories/GHSA-9548-qrrj-x5pj

Metadata

Created: 2025-08-29T20:08:24Z
Modified: 2025-09-01T20:05:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-hw6f-rjfj-j7j7/GHSA-hw6f-rjfj-j7j7.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-hw6f-rjfj-j7j7
Finding: F110
Auto approve: 1