All gunicorn CVEs — Complete Vulnerability History

gunicorn is the most widely-used Python WSGI HTTP server. Its main CVE is HTTP request smuggling — a server-side vulnerability that can affect all applications running behind a reverse proxy.

PyPI 30M+ weekly downloads 2 CVEs total

Full CVE history

CVE	Year	Severity	Description	Fix
CVE-2018-1000164	2018	HIGH	HTTP request smuggling via header manipulation	Fixed 19.10.0
CVE-2024-1135	2024	HIGH	HTTP request smuggling via invalid Transfer-Encoding	Fixed 22.0.0

Current safe version: 22.0.0

# Before

"gunicorn==20.1.0"

# After

"gunicorn==22.0.0"

Then run: pip install -r requirements.txt

Paste your manifest — see your exact versions against the full CVE history.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

What is HTTP request smuggling?

HTTP request smuggling exploits ambiguity in how front-end proxies and back-end servers parse HTTP requests. An attacker can prefix a malicious request to the next user's request, potentially bypassing access controls or poisoning the request queue.

Does gunicorn 22.0.0 have breaking changes?

Gunicorn 22 drops Python 3.6 and 3.7 support. For Python 3.8+, the upgrade is straightforward.

All gunicorn CVEs — Complete Vulnerability History

Full CVE history

Current safe version: 22.0.0

Common questions

Related