CVE-2025-58068

Eventlet affected by HTTP request smuggling in unparsed trailers

CVSS 6.3 MEDIUMEPSS 0.4%CWE-444

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

29 ago 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. This problem has been patched in Eventlet 0.40.3 by dropping trailers which is a breaking change if a backend behind eventlet.wsgi proxy requires trailers. A workaround involves not using eventlet.wsgi facing untrusted clients.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Productos afectados

eventlet · eventlet

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb https://github.com/eventlet/eventlet/pull/1062 https://github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7 https://lists.debian.org/debian-lts-announce/2025/09/msg00003.html