CVE-2025-53643: AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections

The vulnerability is a classic HTTP request smuggling issue caused by inconsistent parsing of HTTP messages between two entities, in this case, aiohttp and a potential frontend proxy. The root cause is the incorrect handling of chunked encoding trailer sections in the pure Python HTTP parser of aiohttp.

The analysis of the patch e8d774f635dc6d1cd3174d0e38891da5de0e2b6a clearly shows that the logic for handling trailers in aiohttp/http_parser.py was completely rewritten. The vulnerable function is HttpPayloadParser.feed_data, where the chunked encoding parsing logic resides. Before the patch, this function had states to handle trailers (PARSE_MAYBE_TRAILERS, PARSE_TRAILERS) but the implementation was flawed and simply discarded any data in the trailer section. The patch rectifies this by collecting the trailer lines and parsing them as headers using the existing HeadersParser.

During runtime, when a malicious request with a chunked body and a smuggled request in the trailers is received, the HttpPayloadParser.feed_data function would be on the call stack as it processes the body of the request. Therefore, this is the primary function that would appear in a runtime profile when the vulnerability is triggered. The vulnerability only affects the pure Python parser, so it would only be exploitable when the C extensions are not used.