4 matches found
CVE-2026-40898
quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...
SUSE-SU-2025:03201-1 Security update for python-aiohttp
This update for python-aiohttp fixes the following issues: - CVE-2025-53643: request smuggling vulnerability due to incorrect parsing trailer sections of an HTTP request bsc1246517...
CVE-2025-53643
CVE-2025-53643 (aiohttp) : Prior to 3.12.14, the Python parser is vulnerable to HTTP request smuggling due to not parsing trailer sections. If a pure-Python build (no C extensions) or AIOHTTP_NO_EXTENSIONS is used, an attacker may smuggle requests to bypass certain firewalls/proxy protections. Th...
GHSA-9548-QRRJ-X5PJ AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. Impact If a pure Python version of aiohttp is installed i.e. without the usual C extensions or AIOHTTPNOEXTENSIONS is enabled, then an attacker may be able to execu...