The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14,     the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections     of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions)     or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to     bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue.
    (CVE-2025-53643)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of aioHTTP installed on the remote host is prior to 3.12.14. It is, therefore, affected by a request smuggling vulnerability:

  - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python     parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If     a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is     enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy     protections. Version 3.12.14 contains a patch for this issue. (CVE-2025-53643)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2025:03057-1 advisory.

    - CVE-2025-53643: Fixed request smuggling due to incorrect parsing of chunked trailer section     (bsc#1246517)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:2760 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.

    Security Fix(es):

    * python-aiohttp: AIOHTTP HTTP Request/Response Smuggling (CVE-2025-53643)
    * python3.12-urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP     redirects (streaming API) (CVE-2026-21441)
    * python3.12-urllib3: urllib3 Streaming API improperly handles highly compressed data (CVE-2025-66471)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20204-1 advisory.

    Changes in python-aiohttp:

    - CVE-2025-69228: Fixed denial of service through large payloads (bsc#1256022).
    - CVE-2025-69226: Fixed brute-force leak of internal static file path components (bsc#1256020).
    - CVE-2025-69224: Fixed unicode processing of header values could cause parsing discrepancies     (bsc#1256018).
    - CVE-2025-69223: Fixed aiohttp HTTP Parser auto_decompress feature susceptible to zip bomb (bsc#1256017).
    - CVE-2025-69227: Fixed DoS when bypassing asserts (bsc#1256021).
    - CVE-2025-69225: Fixed unicode match groups in regexes for ASCII protocol elements (bsc#1256019).
    - CVE-2025-69229: Fixed DoS through chunked messages (bsc#1256023).
    - CVE-2025-53643: Fixed request smuggling due to incorrect parsing of chunked trailer section     (bsc#1246517).

    Changes in python-Brotli:

    - Add max length decompression (bsc#1254867, bsc#1256017).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2025:03201-1 advisory.

    - CVE-2025-53643: request smuggling vulnerability due to incorrect parsing trailer sections of an HTTP     request       (bsc#1246517).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
253116	Linux Distros Unpatched Vulnerability : CVE-2025-53643	Nessus	Misc.	8/21/2025	1/30/2026	medium
242322	aioHTTP < 3.12.14 Request Smuggling (CVE-2025-53643)	Nessus	Misc.	7/18/2025	1/21/2026	medium
261230	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp (SUSE-SU-2025:03057-1)	Nessus	SuSE Local Security Checks	9/4/2025	9/4/2025	medium
299192	RHEL 9 : Satellite 6.18.3 Async Update (Important) (RHSA-2026:2760)	Nessus	Red Hat Local Security Checks	2/16/2026	2/16/2026	high
299126	openSUSE 16 Security Update : python-aiohttp, python-Brotli (openSUSE-SU-2026:20204-1)	Nessus	SuSE Local Security Checks	2/15/2026	2/15/2026	high
264668	SUSE SLES15 Security Update : python-aiohttp (SUSE-SU-2025:03201-1)	Nessus	SuSE Local Security Checks	9/13/2025	9/13/2025	medium

Detections

Analytics

Plugins Search

medium

medium

medium

high

high

medium