Skip to content

Changelog

24.1.1 - 2026-01-24

Bug Fixes

  • Fix forwarded_allow_ips and proxy_allow_ips to remain as strings for backward compatibility with external tools like uvicorn. Network validation now uses strict mode to detect invalid CIDR notation (e.g., 192.168.1.1/24 where host bits are set) (#3458, PR #3459)

24.1.0 - 2026-01-23

New Features

  • Official Docker Image: Gunicorn now publishes official Docker images to GitHub Container Registry at ghcr.io/benoitc/gunicorn
  • Based on Python 3.12 slim image
  • Uses recommended worker formula (2 × CPU + 1)

  • Configurable via environment variables

  • PROXY Protocol v2 Support: Extended PROXY protocol implementation to support the binary v2 format in addition to the existing text-based v1 format

  • New --proxy-protocol modes: off, v1, v2, auto

  • Works with HAProxy, AWS NLB/ALB, and other PROXY protocol v2 sources

  • CIDR Network Support: --forwarded-allow-ips and --proxy-allow-from now accept CIDR notation (e.g., 192.168.0.0/16) for specifying trusted networks

  • Socket Backlog Metric: New gunicorn.socket.backlog gauge metric reports the current socket backlog size on Linux systems

  • InotifyReloader Enhancement: The inotify-based reloader now watches newly imported modules, not just those loaded at startup

Bug Fixes

  • Fix signal handling regression where SIGCLD alias caused errors on Linux
  • Fix socket blocking mode on keepalive connections with async workers
  • Handle SSLWantReadError in finish_body() to prevent worker hangs
  • Log SIGTERM as info level instead of warning
  • Print exception details to stderr when worker fails to boot
  • Fix unreader.unread() to prepend data to buffer instead of appending
  • Prevent RecursionError when pickling Config objects

24.0.0 - 2026-01-23

New Features

  • ASGI Worker (Beta): Native asyncio-based ASGI support for running async Python frameworks like FastAPI, Starlette, and Quart without external dependencies
  • HTTP/1.1 with keepalive connections
  • WebSocket support
  • Lifespan protocol for startup/shutdown hooks

  • Optional uvloop for improved performance

  • uWSGI Binary Protocol: Support for receiving requests from nginx via uwsgi_pass directive

  • Documentation Migration: Migrated to MkDocs with Material theme

Security

  • eventlet: Require eventlet >= 0.40.3 (CVE-2021-21419, CVE-2025-58068)
  • gevent: Require gevent >= 24.10.1 (CVE-2023-41419, CVE-2024-3219)
  • tornado: Require tornado >= 6.5.0 (CVE-2025-47287)

23.0.0 - 2024-08-10

  • minor docs fixes (PR #3217, PR #3089, PR #3167)
  • worker_class parameter accepts a class (PR #3079)
  • fix deadlock if request terminated during chunked parsing (PR #2688)
  • permit receiving Transfer-Encodings: compress, deflate, gzip (PR #3261)
  • permit Transfer-Encoding headers specifying multiple encodings. note: no parameters, still (PR #3261)
  • sdist generation now explicitly excludes sphinx build folder (PR #3257)
  • decode bytes-typed status (as can be passed by gevent) as utf-8 instead of raising TypeError (PR #2336)
  • raise correct Exception when encounting invalid chunked requests (PR #3258)
  • the SCRIPT_NAME and PATH_INFO headers, when received from allowed forwarders, are no longer restricted for containing an underscore (PR #3192)
  • include IPv6 loopback address [::1] in default for forwarded-allow-ips and proxy-allow-ips (PR #3192)

Note

  • The SCRIPT_NAME change mitigates a regression that appeared first in the 22.0.0 release
  • Review your forwarded-allow-ips setting if you are still not seeing the SCRIPT_NAME transmitted
  • Review your forwarder-headers setting if you are missing headers after upgrading from a version prior to 22.0.0

Breaking changes

  • refuse requests where the uri field is empty (PR #3255)
  • refuse requests with invalid CR/LR/NUL in heade field values (PR #3253)
  • remove temporary --tolerate-dangerous-framing switch from 22.0 (PR #3260)
  • If any of the breaking changes affect you, be aware that now refused requests can post a security problem, especially so in setups involving request pipe-lining and/or proxies.

22.0.0 - 2024-04-17

  • use utime to notify workers liveness
  • migrate setup to pyproject.toml
  • fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
  • parsing additional requests is no longer attempted past unsupported request framing
  • on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
  • requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
  • Trailer fields are no longer inspected for headers indicating secure scheme
  • support Python 3.12

Breaking changes

  • minimum version is Python 3.7
  • the limitations on valid characters in the HTTP method have been bounded to Internet Standards
  • requests specifying unsupported transfer coding (order.md) are refused by default (rare.md)
  • HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
  • HTTP methods containing the number sign (#) are no longer accepted by default (rare.md)
  • HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
  • HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
  • HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
  • HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
  • requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
  • empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)

Security

  • fix CVE-2024-1135

History