CVE-2025-43859: Understanding and Mitigating Request Smuggling Vulnerabilities in h11 Python Implementation of HTTP/1.1

In this informative long-read post, we will take a closer look at the CVE-2025-43859 vulnerability which affects the Python h11 library used for HTTP/1.1 protocol implementation. This vulnerability specifically pertains to a request smuggling scenario caused by a certain leniency in the parsing of line terminators in chunked-coding message bodies. Fortunately, the issue has been patched in version .16. of h11. In this article, we will discuss the vulnerability in detail, analyze a code snippet related to the issue, and provide necessary steps to mitigate the risks associated with this vulnerability. Additionally, we will provide links to the original references for further reading.

Understanding the Vulnerability

h11 is a popular Python library that provides an implementation of the HTTP/1.1 protocol. Prior to version .16., a vulnerability (CVE-2025-43859) existed within the parsing of line terminators (CRLF) in chunked-coding message bodies. This issue was caused by the h11 parser accepting different variations of line terminators, allowing an attacker to craft a malicious request which could potentially lead to request smuggling.

Determining the affected versions

The vulnerability exists in h11 versions prior to .16.. Updating to version .16. or later will resolve this issue.

Reference: https://github.com/python-hyper/h11/releases

Code Snippet

Below is a code snippet demonstrating the issue in h11's _from_bytes_helper function, which is responsible for handling line terminators:

def _from_bytes_helper(self, input_bytes, idx):
    idx = input_bytes.find(b"\xa", idx)
    if idx == -1:
        raise exceptions.RemoteProtocolError("illegal CRLF")
    idx += 1
    return input_bytes[:idx], idx

Here, the _from_bytes_helper function searches for the newline character (\xA) in the input bytes but does not enforce the proper CRLF (\xD\xA) line terminator, allowing for other variations to be accepted.

Exploit Details

To exploit the CVE-2025-43859 vulnerability, an attacker could craft a malicious request containing an incorrect line terminator in a chunked-coding message body to bypass security measures and cause potential request smuggling. Exploitation of this vulnerability requires h11 to be deployed on a server with a buggy (reverse) proxy. Fixing either the h11 or the proxy component would be sufficient to mitigate this issue.

Upgrade h11 to version .16. or later to patch the vulnerability.

Reference: https://github.com/python-hyper/h11/releases

2. Ensure that the (reverse) proxy being used is up-to-date and not vulnerable to similar request smuggling vulnerabilities.

Final Thoughts

To protect your applications and infrastructure from this request smuggling vulnerability (CVE-2025-43859), it is highly recommended to upgrade the h11 library to the patched version (.16. or later) and ensure that your proxy setup is secure. By taking these precautions, you can significantly reduce the risk associated with CVE-2025-43859 and maintain a secure environment for your users.

For more information, please refer to the following resources and references

1. h11 GitHub Repository: https://github.com/python-hyper/h11
2. h11 Changelog: https://github.com/python-hyper/h11/blob/main/CHANGELOG.rst
3. Request Smuggling Attack Explanation: https://portswigger.net/web-security/request-smuggling

Timeline

Published on: 04/24/2025 19:15:47 UTC