VYPR
High severity7.5GHSA Advisory· Published Apr 16, 2024· Updated Apr 15, 2026

CVE-2024-1135

CVE-2024-1135

Description

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gunicornPyPI
< 22.0.022.0.0

Affected products

35

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.