GHSA-hc5x-x2vx-497g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hc5x-x2vx-497g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-hc5x-x2vx-497g/GHSA-hc5x-x2vx-497g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hc5x-x2vx-497g
- Aliases
- Related
- Published
- 2025-03-20T12:32:45Z
- Modified
- 2025-03-22T00:05:49.806358Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Gunicorn HTTP Request/Response Smuggling vulnerability
- Details
-
Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. This vulnerability can lead to cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.
- Database specific
{ "nvd_published_at": "2025-03-20T10:15:33Z", "cwe_ids": [ "CWE-444" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-21T23:56:30Z" }- References
Affected packages
PyPI / gunicorn
Package
- Name
- gunicorn
- View open source insights on deps.dev
- Purl
- pkg:pypi/gunicorn
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed23.0.0
Affected versions
0.*
0.1
0.2
0.2.1
0.3
0.3.1
0.3.2
0.4
0.4.1
0.4.2
0.5
0.5.1
0.6
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.9.0
0.9.1
0.10.0
0.10.1
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.14.5
0.14.6
0.15.0
0.16.0
0.16.1
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
17.*
17.5
18.*
18.0
19.*
19.0.0
19.1.0
19.1.1
19.2.0
19.2.1
19.3.0
19.4.0
19.4.1
19.4.2
19.4.3
19.4.4
19.4.5
19.5.0
19.6.0
19.7.0
19.7.1
19.8.0
19.8.1
19.9.0
19.10.0
20.*
20.0.0
20.0.1
20.0.2
20.0.3
20.0.4
20.1.0
21.*
21.0.0
21.0.1
21.1.0
21.2.0
22.*
22.0.0