Suggestions search

Published

Filter by:

With package: python314Packages.daphne

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-44545

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 1 week, 2 days ago by @LeSuisse Activity log

Created suggestion 1 week, 3 days ago
@LeSuisse accepted 1 week, 2 days ago
@LeSuisse published on GitHub 1 week, 2 days ago

Unbounded WebSocket message and frame sizes can cause unauthenticated remote denial of service

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service.

References

https://github.com/django/daphne/blob/main/CHANGELOG.txt release-notes

Affected products

daphne

==4.2.2
=<4.2.1

Matching in nixpkgs

pkgs.python313Packages.daphne

Django ASGI (HTTP/WebSocket) server

nixos-unstable 4.2.1
- nixpkgs-unstable 4.2.1
- nixos-unstable-small 4.2.1
nixos-26.05 4.2.1
- nixos-26.05-small 4.2.1
- nixpkgs-26.05-darwin 4.2.1

pkgs.python314Packages.daphne

Django ASGI (HTTP/WebSocket) server

nixos-unstable 4.2.1
- nixpkgs-unstable 4.2.1
- nixos-unstable-small 4.2.1
nixos-26.05 4.2.1
- nixos-26.05-small 4.2.1
- nixpkgs-26.05-darwin 4.2.1

Permalink CVE-2026-44546

3.7 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 1 week, 2 days ago by @LeSuisse Activity log

Created suggestion 1 week, 3 days ago
@LeSuisse accepted 1 week, 2 days ago
@LeSuisse published on GitHub 1 week, 2 days ago

Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.

References

https://github.com/django/daphne/blob/main/CHANGELOG.txt release-notes

Affected products

daphne

==4.2.2
=<4.2.1

Matching in nixpkgs

pkgs.python313Packages.daphne

Django ASGI (HTTP/WebSocket) server

nixos-unstable 4.2.1
- nixpkgs-unstable 4.2.1
- nixos-unstable-small 4.2.1
nixos-26.05 4.2.1
- nixos-26.05-small 4.2.1
- nixpkgs-26.05-darwin 4.2.1

pkgs.python314Packages.daphne

Django ASGI (HTTP/WebSocket) server

nixos-unstable 4.2.1
- nixpkgs-unstable 4.2.1
- nixos-unstable-small 4.2.1
nixos-26.05 4.2.1
- nixos-26.05-small 4.2.1
- nixpkgs-26.05-darwin 4.2.1