CVE-2024-6827: Gunicorn HTTP Request/Response Smuggling vulnerability

March 20, 2025 (updated March 21, 2025)

Gunicorn version 21.2.0 does not properly validate the value of the ‘Transfer-Encoding’ header as specified in the RFC standards, which leads to the default fallback method of ‘Content-Length,’ making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.

References

github.com/advisories/GHSA-hc5x-x2vx-497g
github.com/benoitc/gunicorn
github.com/benoitc/gunicorn/issues/3278
huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7
nvd.nist.gov/vuln/detail/CVE-2024-6827

Code Behaviors & Features

Detect and mitigate CVE-2024-6827 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →