High severity7.5GHSA Advisory· Published Mar 20, 2025· Updated Apr 15, 2026
CVE-2024-6827
CVE-2024-6827
Description
Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gunicornPyPI | < 22.0.0 | 22.0.0 |
Affected products
38- osv-coords37 versionspkg:apk/chainguard/emissarypkg:apk/chainguard/emissary-apiextpkg:apk/chainguard/emissary-oci-entrypointpkg:apk/chainguard/py3.10-ambassadorpkg:apk/chainguard/py3.11-ambassadorpkg:apk/chainguard/py3.12-ambassadorpkg:apk/chainguard/py3.13-ambassadorpkg:apk/chainguard/supersetpkg:apk/chainguard/superset-cipkg:apk/chainguard/superset-entrypointpkg:apk/chainguard/superset-iamguarded-compatpkg:apk/wolfi/emissarypkg:apk/wolfi/emissary-apiextpkg:apk/wolfi/emissary-oci-entrypointpkg:apk/wolfi/py3.10-ambassadorpkg:apk/wolfi/py3.11-ambassadorpkg:apk/wolfi/py3.12-ambassadorpkg:apk/wolfi/py3.13-ambassadorpkg:apk/wolfi/supersetpkg:apk/wolfi/superset-cipkg:apk/wolfi/superset-entrypointpkg:apk/wolfi/superset-iamguarded-compatpkg:pypi/gunicornpkg:rpm/opensuse/python-gunicorn&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP3pkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6pkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python-gunicorn&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5
< 3.9.1-r14+ 36 more
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 4.1.1-r8
- (no CPE)range: < 4.1.1-r8
- (no CPE)range: < 4.1.1-r8
- (no CPE)range: < 4.1.1-r8
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 3.9.1-r14
- (no CPE)range: < 4.1.1-r8
- (no CPE)range: < 4.1.1-r8
- (no CPE)range: < 4.1.1-r8
- (no CPE)range: < 4.1.1-r8
- (no CPE)range: < 22.0.0
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 19.7.1-150000.3.10.1
- (no CPE)range: < 19.7.1-150000.3.10.1
- (no CPE)range: < 19.7.1-150000.3.10.1
- (no CPE)range: < 19.7.1-150000.3.10.1
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 20.1.0-150400.12.9.1
- (no CPE)range: < 20.1.0-150400.12.9.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-hc5x-x2vx-497gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6827ghsaADVISORY
- github.com/benoitc/gunicorn/issues/3087ghsaWEB
- github.com/benoitc/gunicorn/issues/3278ghsaWEB
- github.com/benoitc/gunicorn/pull/3113ghsaWEB
- github.com/benoitc/gunicorn/releases/tag/22.0.0ghsaWEB
- huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7nvdWEB
News mentions
0No linked articles in our index yet.