Gunicorn HTTP Request Smuggling Vulnerability via Improper Transfer-Encoding Header Validation

A request smuggling vulnerability has been identified in Gunicorn version 21.2.0. The issue arises because the server does not correctly validate the 'Transfer-Encoding' header in accordance with RFC standards. This flaw allows the server to default to the 'Content-Length' method, creating a vulnerability to TE.CL (Transfer-Encoding to Content-Length) request smuggling. Exploiting this vulnerability can lead to various security issues, including cache poisoning, data exposure, session manipulation, server-side request forgery (SSRF), cross-site scripting (XSS), denial-of-service (DoS), data integrity compromise, security bypass, information leakage, and abuse of business logic.

Impact

Exploitation of this vulnerability causes HTTP request smuggling, which can disrupt the normal processing of HTTP requests and responses. This type of vulnerability can be exploited to bypass security controls, manipulate user sessions, or cause other harmful effects depending on the application's logic and data handling.

Reproduction

To reproduce this vulnerability, send a POST request to a Gunicorn server running version 21.2.0 with the 'Transfer-Encoding' header set to 'chunked,gzip'. Include a chunked body that contains a second GET request to a protected route, such as '/admin'. Gunicorn will improperly process the request, leading to request smuggling.

Remediation

Gunicorn version 23.0.0 and later have addressed this vulnerability. Users should upgrade to the latest version.