CVE-2025-43859 — h11 accepts some malformed Chunked-Encoding bodies

Description

h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.

How to fix CVE-2025-43859

To remediate CVE-2025-43859, upgrade the affected package to a fixed version below.

—upgrade to 0.14.0-1.1~deb12u1 or later
—upgrade to 0.16.0 or later

Is CVE-2025-43859 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.14.0-1.1~deb12u1
from 0, < 0.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43859
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-43859
PATCHgithub.com/python-hyper/h11
WEBgithub.com/python-hyper/h11/commit/114803a29ce50116dc47951c690ad4892b1a36ed