fix(deps): vuln gunicorn (major → 25.3.0)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

• . (pip)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
gunicorn	20.1.0	25.3.0	major	Direct	2 HIGH

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
gunicorn	GHSA-w3h3-4rj7-4ph4	HIGH	Request smuggling leading to endpoint restriction bypass in Gunicorn	20.1.0	22.0.0
gunicorn	GHSA-hc5x-x2vx-497g	HIGH	Gunicorn HTTP Request/Response Smuggling vulnerability	20.1.0	22.0.0

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
gunicorn	20.1.0	Mar 27, 2026	25.3.0	requirements.in

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

gunicorn (20.1.0 → 25.3.0) — GitHub Release

25.3.0

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2
  ASGI requests, causing JSON parsing errors with "Extra data" messages
  ([Bug] HTTP/2 ASGI body duplication - request body delivered twice via `receive()` benoitc/gunicorn#3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle
  chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string
  instead of list syntax ([Docs] http_protocols examples use list syntax but config expects comma-separated string benoitc/gunicorn#3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112
  (https://github.com/benoitc/gunicorn/issues/3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented,
  instead of using default maximum. Works with both Python and fast C parser.
  (25.2.0 no longer honors --limit-request-line 0 benoitc/gunicorn#3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property
  and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

25.2.0

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. ([Triage] [uwsgi] InvalidUWSGIHeader: incomplete header when using gevent or gthread workers benoitc/gunicorn#3552, PR https://github.com/benoitc/gunicorn/issues/3554)

• FileWrapper Iterator Protocol: Add __iter__ and __next__ methods to FileWrapper for full PEP 3333 compliance. (FileWrapper should be iterable benoitc/gunicorn#3396, PR https://github.com/benoitc/gunicorn/issues/3550)

Performance

• ASGI HTTP Parser Optimizations: Improve ASGI worker HTTP parsing performance
  • Callback-based parsing with direct bytearray buffer operations
  • Use bytearray.find() directly instead of converting to bytes first
  • Use index-based iteration for header parsing instead of list.pop(0) (O(1) vs O(n))

25.1.0

New Features

• Control Interface (gunicornc): Add interactive control interface for managing
  running Gunicorn instances, similar to birdc for BIRD routing daemon
  (PR https://github.com/benoitc/gunicorn/issues/3505)

  • Unix socket-based communication with JSON protocol
  • Interactive mode with readline support and command history
  • Commands: show all/workers/dirty/config/stats/listeners
  • Worker management: worker add/remove/kill, dirty add/remove
  • Server control: reload, reopen, shutdown
  • New settings: --control-socket, --control-socket-mode, --no-control-socket
  • New CLI tool: gunicornc for connecting to control socket
  • See Control Interface Guide for details

• Dirty Stash: Add global shared state between workers via dirty.stash
  (PR https://github.com/benoitc/gunicorn/issues/3503)

  • In-memory key-value store accessible by all workers
  • Supports get, set, delete, clear, keys, and has operations
  • Useful for sharing state like feature flags, rate limits, or cached data

• Dirty Binary Protocol: Implement efficient binary protocol for dirty arbiter IPC
  using TLV (Type-Length-Value) encoding
  (PR https://github.com/benoitc/gunicorn/issues/3500)

  • More efficient than JSON for binary data
  • Supports all Python types: str, bytes, int, float, bool, None, list, dict
  • Better performance for large payloads

• Dirty TTIN/TTOU Signals: Add dynamic worker scaling for dirty arbiters
  (PR https://github.com/benoitc/gunicorn/issues/3504)

  • Send SIGTTIN to increase dirty workers
  • Send SIGTTOU to decrease dirty workers
  • Respects minimum worker constraints from app configurations

Changes

• ASGI Worker: Promoted from beta to stable
• Dirty Arbiters: Now marked as beta feature

Documentation

• Fix Markdown formatting in /configure documentation

25.0.3

What's Changed

Bug Fixes

• Fix RuntimeError when StopIteration raised in ASGI coroutine (ASGI worker: CancelledError propagates to async database operations on client disconnect benoitc/gunicorn#3484)
• Fix passing maxsplit in re.split() as positional argument (deprecated in Python 3.13)

Documentation

• Updated sponsorship section and homepage

Full Changelog: benoitc/gunicorn@25.0.2...25.0.3

25.0.2

What's Changed

Bug Fixes

• Fix ASGI concurrent request failures through nginx proxy
• Graceful disconnect handling for ASGI worker
• Lazy import dirty module for gevent compatibility

Other

• Increase CI timeout for signal tests on PyPy
• Remove trailing blank line in instrument/init.py

Full Changelog: benoitc/gunicorn@25.0.1...25.0.2

25.0.1

Bug Fixes

• Fix ASGI streaming responses (SSE) hanging: add chunked transfer encoding for
  HTTP/1.1 responses without Content-Length header. Without chunked encoding,
  clients wait for connection close to determine end-of-response.

Changes

• Update celery_alternative example to use FastAPI with native ASGI worker and
  uvloop for async task execution

Testing

• Add ASGI compliance test suite with Docker-based integration tests covering HTTP,
  WebSocket, streaming, lifespan, framework integration (Starlette, FastAPI),
  HTTP/2, and concurrency scenarios

(and 9 more releases — view all)

---

Generated by ADMS Sources: 1 GitHub Release.