DirectorySecurity AdvisoriesPricing
/
Sign in
Security Advisories

CVE-2024-1135

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-1135

Severity

8.2

High

CVSS V3

Eliminate CVEs with Chainguard hardened images

Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.

Start for free

Description

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-1135
  • https://github.com/advisories/GHSA-w3h3-4rj7-4ph4
  • https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
  • https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html
  • https://lists.debian.org/debian-lts-announce/2024/12/msg00018.html

Affected packages

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal