CVE-2024-6827 Overview
CVE-2024-6827 is an HTTP request smuggling vulnerability in Gunicorn version 21.2.0, a widely deployed Python WSGI HTTP server. The server fails to properly validate the Transfer-Encoding header against RFC standards. When malformed values appear, Gunicorn falls back to processing the Content-Length header, enabling TE.CL request smuggling attacks. Attackers can desynchronize front-end proxies and back-end servers to bypass security controls. The weakness is classified under CWE-444: Inconsistent Interpretation of HTTP Requests.
Critical Impact
Successful exploitation enables cache poisoning, session manipulation, server-side request forgery (SSRF), cross-site scripting (XSS), denial of service, and security control bypass on Gunicorn-fronted applications.
Affected Products
- Gunicorn 21.2.0
- Python WSGI applications deployed behind affected Gunicorn versions
- Reverse proxy and load balancer configurations forwarding HTTP/1.1 traffic to vulnerable Gunicorn workers
Discovery Timeline
- 2025-03-20 - CVE-2024-6827 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-6827
Vulnerability Analysis
Gunicorn 21.2.0 incorrectly parses the HTTP Transfer-Encoding header. RFC 7230 requires servers to reject or recognize non-standard transfer codings, but Gunicorn silently falls back to Content-Length when it encounters values it does not understand. This inconsistency creates a discrepancy between how an upstream proxy and Gunicorn interpret the same request. An attacker who controls request bytes can smuggle a second request inside the body of the first.
The smuggled request bypasses front-end security checks because the proxy treats it as part of the prior request body. Gunicorn then processes the smuggled bytes as an independent request. The attack class is documented as TE.CL smuggling, where the front end honors Transfer-Encoding and the back end honors Content-Length.
Root Cause
The root cause is missing strict validation of the Transfer-Encoding header value. Gunicorn accepts obfuscated or non-conforming transfer codings such as chunked variants with whitespace, casing tricks, or unknown tokens. Instead of rejecting the request with HTTP 400, the parser ignores the header and uses Content-Length. This violates the RFC 7230 rule that Transfer-Encoding must take precedence when both headers are present.
Attack Vector
The attack is remote and unauthenticated. An attacker sends a single crafted HTTP/1.1 request containing both a malformed Transfer-Encoding header and a Content-Length header. The upstream proxy parses the request using transfer-encoding semantics while Gunicorn parses using content-length semantics. The remaining bytes appear at the head of the next request on the reused connection. The attacker can then poison shared caches, hijack adjacent user sessions, or reach internal endpoints normally blocked by the front end. Technical exploitation details are documented in the Huntr Security Bounty Summary.
Detection Methods for CVE-2024-6827
Indicators of Compromise
- HTTP requests containing both Transfer-Encoding and Content-Length headers reaching Gunicorn workers
- Malformed Transfer-Encoding values such as chunked with trailing whitespace, mixed casing, or unrecognized tokens like xchunked
- Unexpected 400-series responses interleaved with valid traffic on keep-alive connections
- Cache entries returning content that does not match the requested URL path
Detection Strategies
- Inspect proxy and Gunicorn access logs for request length mismatches between front-end and back-end entries with the same connection ID
- Deploy web application firewall rules that reject requests presenting both Transfer-Encoding and Content-Length headers
- Run smuggling probes using tools such as the HTTP Request Smuggler Burp extension against staging environments
- Alert on anomalous HTTP method distributions or sudden spikes in POST requests on endpoints that normally serve GET
Monitoring Recommendations
- Centralize Gunicorn access_log and reverse proxy logs and correlate by client IP, connection ID, and timestamp
- Track Gunicorn version strings across deployments and flag any worker still reporting gunicorn/21.2.0
- Monitor cache hit ratios and response body anomalies for evidence of cache poisoning
How to Mitigate CVE-2024-6827
Immediate Actions Required
- Upgrade Gunicorn to a fixed release beyond 21.2.0 across all production and staging hosts
- Audit reverse proxy configurations and enable strict HTTP/1.1 parsing on upstream tiers such as Nginx, HAProxy, or Envoy
- Configure front-end proxies to normalize or reject requests containing both Transfer-Encoding and Content-Length headers
- Disable HTTP/1.1 connection reuse between the proxy and Gunicorn when feasible, forcing one request per connection
Patch Information
Review the Huntr Security Bounty Summary for remediation guidance and apply the latest Gunicorn release that enforces strict Transfer-Encoding validation. Verify the running version with gunicorn --version on every worker host after deployment.
Workarounds
- Terminate HTTP/1.1 at a hardened proxy that strictly validates transfer encodings and forwards normalized HTTP/1.1 or HTTP/2 to Gunicorn
- Drop inbound requests containing duplicate, malformed, or obfuscated Transfer-Encoding values at the edge
- Restrict keep-alive timeouts and maximum requests per connection on Gunicorn workers to reduce smuggling opportunity
# Example Nginx hardening to reject ambiguous framing before traffic reaches Gunicorn
http {
# Reject requests presenting both framing headers
map $http_transfer_encoding $bad_framing {
default 0;
"~*chunked" 1;
}
server {
listen 443 ssl;
if ($bad_framing) {
set $deny "${deny}T";
}
if ($http_content_length) {
set $deny "${deny}C";
}
if ($deny = "TC") {
return 400;
}
location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass http://gunicorn_upstream;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
