Eventlet affected by HTTP request smuggling in unparsed trailers
Description
Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. This problem has been patched in Eventlet 0.40.3 by dropping trailers which is a breaking change if a backend behind eventlet.wsgi proxy requires trailers. A workaround involves not using eventlet.wsgi facing untrusted clients.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eventlet WSGI parser before 0.40.3 is vulnerable to HTTP request smuggling via improper handling of HTTP trailer sections, allowing cache poisoning and bypass of security controls.
The Eventlet WSGI parser, used in Eventlet versions prior to 0.40.3, improperly handles HTTP trailer sections in chunked transfer encoding. When parsing the final chunk (length 0), the parser only reads a single line after the chunk, leaving remaining trailer data in the buffer. This incomplete parsing enables HTTP request smuggling attacks [1][3].
An attacker can exploit this by sending a crafted HTTP request that uses trailers to inject content that will be interpreted as part of the next request. The attack requires the ability to send HTTP requests to an Eventlet-based WSGI server; no authentication is needed beyond network access. The smuggled content may bypass front-end security controls such as web application firewalls or access control lists [1].
The impact includes cache poisoning, where an attacker can cause a shared cache to associate a benign URL with malicious content, affecting other users. It also enables session hijacking or other targeted attacks against active users by injecting malicious responses. The vulnerability is similar to a known smuggling issue in aiohttp [3].
A fix was implemented in commit 0bfebd1 and released in Eventlet 0.40.3. The fix discards all HTTP trailers after the final chunk, which is a breaking change if a backend behind an eventlet.wsgi proxy relies on receiving trailers. As a workaround, administrators should avoid using eventlet.wsgi with untrusted clients [1][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
eventletPyPI | < 0.40.3 | 0.40.3 |
Affected products
2- eventlet/eventletv5Range: < 0.40.3
Patches
10bfebd1117d3[SECURITY] Fix request smuggling vulnerability by discarding trailers (#1062)
1 file changed · +7 −1
eventlet/wsgi.py+7 −1 modified@@ -152,6 +152,12 @@ def _do_read(self, reader, length=None): read = b'' self.position += len(read) return read + + def _discard_trailers(self, rfile): + while True: + line = rfile.readline() + if not line or line in (b'\r\n', b'\n', b''): + break def _chunked_read(self, rfile, length=None, use_readline=False): if self.should_send_hundred_continue: @@ -202,7 +208,7 @@ def _chunked_read(self, rfile, length=None, use_readline=False): raise ChunkReadError(err) self.position = 0 if self.chunk_length == 0: - rfile.readline() + self._discard_trailers(rfile) except greenio.SSL.ZeroReturnError: pass return b''.join(response)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-hw6f-rjfj-j7j7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58068ghsaADVISORY
- github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fbghsax_refsource_MISCWEB
- github.com/eventlet/eventlet/pull/1062ghsax_refsource_MISCWEB
- github.com/eventlet/eventlet/security/advisories/GHSA-hw6f-rjfj-j7j7ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2025/09/msg00003.htmlghsaWEB
News mentions
0No linked articles in our index yet.