High severity7.5NVD Advisory· Published Mar 20, 2025· Updated Apr 15, 2026
CVE-2024-6827
CVE-2024-6827
Description
Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gunicornPyPI | < 22.0.0 | 22.0.0 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-hc5x-x2vx-497gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6827ghsaADVISORY
- github.com/benoitc/gunicorn/issues/3087ghsaWEB
- github.com/benoitc/gunicorn/issues/3278ghsaWEB
- github.com/benoitc/gunicorn/pull/3113ghsaWEB
- github.com/benoitc/gunicorn/releases/tag/22.0.0ghsaWEB
- huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7nvdWEB
News mentions
0No linked articles in our index yet.