CVE-2025-43859: h11 accepts some malformed Chunked-Encoding bodies

April 24, 2025

A leniency in h11’s parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions.

References

github.com/advisories/GHSA-vqfr-h8mv-ghfj
github.com/python-hyper/h11
github.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed
github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj
nvd.nist.gov/vuln/detail/CVE-2025-43859

Code Behaviors & Features

Detect and mitigate CVE-2025-43859 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →