CVE-2025-58068: Eventlet affected by HTTP request smuggling in unparsed trailers

August 29, 2025 (updated September 1, 2025)

The Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections.

This vulnerability could enable attackers to:

Bypass front-end security controls
Launch targeted attacks against active site users
Poison web caches

References

github.com/advisories/GHSA-hw6f-rjfj-j7j7
github.com/eventlet/eventlet
github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb
github.com/eventlet/eventlet/pull/1062
github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7
nvd.nist.gov/vuln/detail/CVE-2025-58068

Code Behaviors & Features

Detect and mitigate CVE-2025-58068 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →