EXECUTIVE SUMMARY:
A vulnerability has been disclosed in h11, tracked as CVE-2025-43859, a minimalist, input-output agnostic HTTP 1.1 protocol library written in Python, which could enable request smuggling attacks in applications where h11 is paired with a misconfigured or buggy HTTP proxy. The flaw arises from a leniency in h11’s parsing of line terminators in chunked coding message bodies, leading to potential inconsistencies when combined with reverse proxies that misinterpret chunked encoding. These inconsistencies can allow attackers to craft specially formatted requests that are interpreted differently by the HTTP processors, causing one request to potentially contain sensitive headers or bypass access controls. The flaw is particularly dangerous in environments where proxies are used to restrict access to protected endpoints, as it may lead to credential leakage or unauthorized access. It highlights the risks of improper proxy handling and the importance of correctly validating chunked encoding. Attackers exploiting this flaw could gain unauthorized access to sensitive data or control over server interactions. It is reviewing the configuration of reverse proxies can prevent misinterpretations that could lead to such exploits. The vulnerability has a CVSS score of 9.1.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: