InfoSecBulletin Cybersecurity for mankind
A critical vulnerability tracked as CVE-2025-43859 has been disclosed in h11, a minimalist, I/O-agnostic HTTP/1.1 protocol library written in Python. Rated CVSS 9.1, the flaw could enable request smuggling attacks in applications where h11 is paired with a misconfigured or buggy HTTP proxy.
“A leniency in h11’s parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions,” the h11 advisory warns.
Hacker claim to breach Link3; 189,000 Users data up for sale
Check Point Hosts “Securing the Hyperconnected World in the AI Era” in Dhaka
Microsoft Confirms 900+ XSS Vulns Found in IT Services
Daily Security Update Dated : 15.09.2025
IBM QRadar SIEM Vuln Let Attackers Perform Unauthorized Actions
Major Australian Banks using Army of AI Bots to Scam Scammers
F5 to acquire CalypsoAI for $180M for Advanced AI Security Capabilities
AI Pentesting Tool ‘Villager’ Merges Kali Linux with DeepSeek AI for Automated Attacks
CVE-2025-21043
Samsung Patched Critical Zero-Day Flaw Exploited in Android Attacks
Albania appoints world’s first AI minister, “Diella” to Tackle Corruption
In HTTP/1.1, chunked transfer encoding is used to send request or response bodies in variable-size segments. Each chunk is terminated by a CRLF sequence (\r\n). However, until version 0.14.0, h11 incorrectly accepted any two bytes instead of properly validating that the trailing bytes were exactly \r\n.This leniency by itself isn’t immediately dangerous. But when h11 is used behind a reverse proxy that misinterprets chunked encoding, inconsistencies arise. For example, the reverse proxy might read more bytes than it should by using a naive “read until end of line” function, resulting in h11 and the proxy interpreting the same bytestream differently.
“Any time two HTTP processors both accept the same string of bytes but interpret them differently, you have the conditions for a ‘request smuggling’ attack,” the h11 advisory notes.
A demonstrated example in the advisory shows how h11 could interpret a malformed chunked request as two separate HTTP requests, while a buggy proxy sees them as one combined request. If the second request contains sensitive headers (like Cookie: SESSION_KEY=abcdef…), the server may treat this as part of the first request, effectively leaking credentials or bypassing access controls.
This is particularly dangerous in environments where proxies are used to restrict access to protected endpoints.
One of the more severe illustrated attacks involves sending two HTTP requests from different users over the same connection. A vulnerable proxy could forward both to the backend server, which in turn interprets the second user’s credentials as part of the first request’s body.
“The server will then see the two concatenated requests, and interpret them as one request to /one whose body includes /two’s session key, potentially allowing one user to steal another’s credentials,” the advisory warns.
The issue has been fixed in h11 version 0.15.0. Developers using h11 are urged to upgrade immediately.
