Fluid Attacks Database

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-aiohttp	=3.7.4-1 \|\| =3.7.4-1+deb11u1 \|\| >=0 <3.7.4-1+deb11u2	3.7.4-1+deb11u2
debian 12	python-aiohttp	=3.10.0-1 \|\| =3.10.1-1 \|\| =3.10.10-1 \|\| =3.10.10-2 \|\| =3.10.11-1 \|\| =3.10.3-1 \|\| =3.10.3-2 \|\| =3.10.3-3 \|\| =3.10.4-1 \|\| =3.10.5-1 \|\| =3.10.6-1 \|\| =3.10.8-1 \|\| =3.11.15-1 \|\| =3.11.16-1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| =3.13.5-1 \|\| =3.8.4-1 \|\| =3.8.4-1+deb12u1 \|\| =3.8.5-1 \|\| =3.8.6-1 \|\| =3.9.1-1 \|\| =3.9.5-1	-
debian 13	python-aiohttp	=3.11.16-1 \|\| =3.11.16-1+deb13u1 \|\| =3.12.15-1 \|\| =3.13.0-1 \|\| =3.13.1-1 \|\| =3.13.3-1 \|\| =3.13.3-2 \|\| =3.13.3-3 \|\| =3.13.5-1	-
debian 14	python-aiohttp	=3.11.16-1 \|\| >=0 <3.12.15-1	3.12.15-1
pypi	aiohttp	>=0 <3.12.14	3.12.14

Aliases

1. CVE-2025-536432. NVD-2025-536433. OSV-DEBIAN-2025-536434. OSV-2025-536435. GHSA-9548-qrrj-x5pj6. GCVE-2025-536437. SECURITY-TRACKER-CVE-2025-53643

References

1. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9548-qrrj-x5pj2. https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.