CVE-2024-1135

HIGH

Gunicorn < 22.0.0 - HTTP Request Smuggling via Transfer-Encoding Header Mismanagement

Title source: llm

Description

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html

Mailing List

https://lists.debian.org/debian-lts-announce/2024/12/msg00018.html

Exploit, Third Party Advisory

https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1

Scores

CVSS v3 7.5

EPSS 0.0300

EPSS Percentile 85.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-444

Status published

Products (2)

benoitc/benoitc/gunicorn unspecified - latest

pypi/gunicorn 0 - 22.0.0PyPI

Published Apr 16, 2024

Tracked Since Feb 18, 2026