{"id":"CVE-2024-1135","details":"Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.","aliases":["GHSA-w3h3-4rj7-4ph4"],"modified":"2026-03-11T07:26:21.636467841Z","published":"2024-04-16T00:15:07Z","withdrawn":"2026-01-27T04:20:07.394526Z","related":["CGA-f67w-874q-wh5v","MGASA-2024-0236","SUSE-SU-2024:1440-1","SUSE-SU-2024:2881-1","openSUSE-SU-2024:13891-1"],"references":[{"type":"WEB","url":"https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00018.html"}],"schema_version":"1.7.3"}