#VU108124 Inconsistent interpretation of HTTP requests in h11 - CVE-2025-43859
Vulnerability identifier: #VU108124
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-444
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
h11
Universal components / Libraries /
Libraries used by multiple products
Vendor: Hyper
Description
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in h11/_readers.py. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
h11: 0.5.0 - 0.15.0
External links
https://github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed
https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
