Patch Gunicorn to Version 22.0 to Prevent HTTP Request Smuggling Vulnerability

Posted on Edited on

Which version(s) are affected?

Hey fellow readers, if you're deploying your python application or containerized application through Gunicorn (Green Unicorn) there is a new vulnerability that bypasses validation when multiple conflicting Transfer-Encoding headers are used which are treated as chunked data regardless of final encoding leading to Request Smuggling allowing access to restricted API endpoints in your application without needed credentials/tokens.

The new update version 22.0 fixes the issue mentioned in the commit.

The PoC for the exploit can be found here at Huntr.

In short, versions < 22.0 are affected. You can update it manually to the fixed version via pip or pipenv or conda. If they are unable to update the package, the best way would be to secure the endpoints via firewall and block access.

Source(s)

  • Github Advisory
  • NIST Advisory
  • Huntr Advisory
  • Gunicorn Commit
  • Gunicorn Releases