CVE-2025-53643 (High) detected in aiohttp-3.10.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl #945
Description
CVE-2025-53643 - High Severity Vulnerability
Vulnerable Library - aiohttp-3.10.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
Async http client/server framework (asyncio)
Path to dependency file: /samples/.ws-temp-DZSFGI-requirements.txt
Path to vulnerable library: /tmp/containerbase/cache/.cache/pypoetry/virtualenvs/package-cbrn6T-w-py3.9/lib/python3.9/site-packages/aiohttp-3.10.3.dist-info,/tmp/containerbase/cache/.cache/pypoetry/virtualenvs/opensearch-py-benchmarks-NjCgjYIu-py3.9/lib/python3.9/site-packages/aiohttp-3.10.3.dist-info
Dependency Hierarchy:
- opensearch_py-3.0.0-py3-none-any.whl (Root Library)
- ❌ aiohttp-3.10.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: bf9add4eede4815f68ab99d7df8d0e2d3c6931bd
Found in base branch: main
Vulnerability Details
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
Publish Date: 2025-07-14
URL: CVE-2025-53643
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9548-qrrj-x5pj
Release Date: 2025-07-14
Fix Resolution: aiohttp - 3.12.14