vulnerability

Debian: CVE-2024-1135: gunicorn -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:C/A:N)	Apr 16, 2024	Dec 23, 2024	Mar 30, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:C/A:N)

Published

Apr 16, 2024

Added

Dec 23, 2024

Modified

Mar 30, 2026

Description

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Solution

debian-upgrade-gunicorn

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report