Vulnerability Details
Basic Information
| Title | CVE-2025-43859 h11 accepts some malformed Chunked-Encoding bodies |
|---|---|
| Type | vulnrichment |
| Published | 2025-04-24T18:15:53 |
| Last Seen | 2025-04-24T19:26:24 |
| CVSS Score | 9.1 (CRITICAL) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | NONE |
CVE Information
| CVE IDs | CVE-2025-43859 |
|---|---|
| CWE | CWE-444 |
| Bulletin Family | cve |
Description
h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11’s parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.
Impact Assessment
| Base Score | 9.1 |
|---|---|
| Severity | CRITICAL |