Listen to this Post
How the CVE Works
The vulnerability (CVE-2025-XXXX) in h11 (versions ≤ 0.14.0) stems from improper validation of chunked-encoding line terminators. HTTP/1.1 chunked transfer encoding requires each chunk to end with \r\n, but h11 accepted any two bytes. This leniency, combined with a misconfigured proxy (e.g., Pound) that incorrectly parses chunked data, enables request smuggling. Attackers can craft malicious requests where the proxy and server interpret payloads differently, bypassing security controls or stealing session cookies via malformed chunk termination.
DailyCVE Form
Platform: h11
Version: ≤ 0.14.0
Vulnerability: Request Smuggling
Severity: Critical
Date: 2025-01-09
What Undercode Say:
Exploitation:
1. Craft Malformed Chunks:
GET / HTTP/1.1\r\n Transfer-Encoding: chunked\r\n 5\r\n AAAAAXX\r\n Invalid terminator
2. Proxy Bypass:
- Proxy sees one request; server sees two.
3. Session Hijacking:
- Inject second request with stolen cookies.
Detection:
1. Check h11 Version:
pip show h11 | grep Version
2. Proxy Log Analysis:
grep -i "chunked" /var/log/proxy/access.log
Mitigation:
1. Update h11:
pip install --upgrade h11>=0.15.0
2. Proxy Hardening:
- Reject non-
\r\nterminators.
3. WAF Rules:
if ($http_transfer_encoding ~ "chunked") {
set $smuggling_check "1";
}
PoC (Python):
import h11 Simulate bad chunk parsing data = b"5\r\nAAAAAXX\r\n0\r\n\r\n" h11_parser = h11.RequestParser() h11_parser.receive_data(data) Fails in v0.15.0+
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
