Update dependency eventlet to v0.40.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
eventlet (changelog)	==0.37.0 -> ==0.40.3

GitHub Vulnerability Alerts

CVE-2025-58068

Impact

The Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections.

This vulnerability could enable attackers to:

• Bypass front-end security controls
• Launch targeted attacks against active site users
• Poison web caches

Patches

Problem has been patched in eventlet 0.40.3.

The patch just drops trailers. If a backend behind eventlet.wsgi proxy requires trailers, then this patch BREAKS your setup.

Workarounds

Do not use eventlet.wsgi facing untrusted clients.

References

• Patch https://github.com/eventlet/eventlet/pull/1062
• This issue is similar to GHSA-9548-qrrj-x5pj

---

Release Notes

eventlet/eventlet (eventlet)

v0.40.3

Compare Source

v0.40.2

Compare Source

v0.40.1

Compare Source

v0.40.0

Compare Source

v0.39.1

Compare Source

v0.39.0

Compare Source

v0.38.2

Compare Source

v0.38.1

Compare Source

v0.38.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.