CVE-2025-43859
📋 TL;DR
CVE-2025-43859 is an HTTP request smuggling vulnerability in the h11 Python library's parsing of chunked transfer encoding. This allows attackers to bypass security controls and poison proxy caches when h11 is used with vulnerable reverse proxies. Systems using h11 versions before 0.16.0 in HTTP server or client implementations are affected.
💻 Affected Systems
- h11 Python library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could poison proxy caches, bypass authentication, perform session hijacking, or conduct cross-site scripting attacks against other users.
Likely Case
Cache poisoning leading to credential theft or malware distribution through poisoned cached content.
If Mitigated
Limited impact with proper proxy validation and updated components.
🎯 Exploit Status
Exploitation requires specific proxy configurations and understanding of HTTP request smuggling techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.16.0
Vendor Advisory: https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
Restart Required: Yes
Instructions:
1. Identify h11 usage in your Python applications
2. Update h11: pip install --upgrade h11>=0.16.0
3. Restart all services using h11
4. Verify the update with: pip show h11
🔧 Temporary Workarounds
Update reverse/proxy servers
allFix the proxy component instead of h11, as exploitation requires both to be vulnerable
Disable chunked transfer encoding
allConfigure reverse proxies to reject or normalize chunked encoding
🧯 If You Can't Patch
- Implement strict HTTP validation at reverse proxies
- Use WAF rules to detect and block HTTP request smuggling attempts
🔍 How to Verify
Check if Vulnerable:
Check h11 version with: python -c "import h11; print(h11.__version__)"Check Version:
python -c "import h11; print(h11.__version__)"Verify Fix Applied:
Verify version is 0.16.0 or higher: python -c "import h11; from packaging import version; print(version.parse(h11.__version__) >= version.parse('0.16.0'))"📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP request patterns
- Multiple requests with same connection
- Malformed chunked encoding headers
Network Indicators:
- HTTP requests with inconsistent Content-Length and Transfer-Encoding headers
- Requests that appear to contain multiple HTTP messages
SIEM Query:
http.method AND (http.request.header:"Transfer-Encoding: chunked" OR http.request.header:"Content-Length") AND NOT http.response.status:200