Suggestions search

All statuses

Filter by:

With package: granian

Found 2 matching suggestions

View:

Compact

Detailed

Published

Permalink CVE-2026-42544

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 6 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse accepted 7 hours ago
@LeSuisse published on GitHub 6 hours ago

Granian: Unauthenticated DoS via WebSocket subprotocol header panic

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.

References

https://github.com/emmett-framework/granian/security/advisories/GHSA-vrg7-482j-p6f6 x_refsource_CONFIRM

Affected products

granian

==>= 1.2.0, < 2.7.4

Matching in nixpkgs

pkgs.granian

Rust HTTP server for Python ASGI/WSGI/RSGI applications

nixos-unstable 2.7.2
- nixpkgs-unstable 2.7.2
- nixos-unstable-small 2.7.2
nixos-25.11 2.5.6
- nixos-25.11-small 2.5.6
- nixpkgs-25.11-darwin 2.5.6

pkgs.python312Packages.granian

Rust HTTP server for Python ASGI/WSGI/RSGI applications

nixos-25.11 2.5.6
- nixos-25.11-small 2.5.6
- nixpkgs-25.11-darwin 2.5.6

pkgs.python313Packages.granian

Rust HTTP server for Python ASGI/WSGI/RSGI applications

nixos-unstable 2.7.2
- nixpkgs-unstable 2.7.2
- nixos-unstable-small 2.7.2
nixos-25.11 2.5.6
- nixos-25.11-small 2.5.6
- nixpkgs-25.11-darwin 2.5.6

pkgs.python314Packages.granian

Rust HTTP server for Python ASGI/WSGI/RSGI applications

nixos-unstable 2.7.2
- nixpkgs-unstable 2.7.2
- nixos-unstable-small 2.7.2

Package maintainers

@lucastso10 Lucas Teixeira Soares <lucastso10@gmail.com>
@pbsds Peder Bergebakken Sundt <pbsds@hotmail.com>

Published

Permalink CVE-2026-42545

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 6 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse accepted 7 hours ago
@LeSuisse published on GitHub 6 hours ago

Granian: DoS via WSGI response header panic

Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4.