FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

h11 accepts some malformed Chunked-Encoding bodies

Affected packages
py310-h11 < 0.16.0
py311-h11 < 0.16.0
py312-h11 < 0.16.0
py39-h11 < 0.16.0

Details

VuXML ID df126e23-24fa-11f0-ab92-f02f7497ecda
Discovery 2025-04-24
Entry 2025-04-29

h11 reports:

h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line t erminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issu e has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.

[source]

References

CVE Name CVE-2025-43859
URL https://nvd.nist.gov/vuln/detail/CVE-2025-43859

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.