Skip to main content

Daphne

2 CVEs product

Monthly

CVE-2026-44546 PyPI MEDIUM PATCH This Month

Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.

Code Injection Request Smuggling Daphne Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44545 PyPI HIGH PATCH This Week

Denial of service in Django Daphne before 4.2.2 allows unauthenticated remote attackers to exhaust server memory by sending oversized WebSocket frames or messages. The flaw stems from Daphne failing to forward maxFramePayloadSize and maxMessagePayloadSize limits to the underlying Autobahn WebSocketServerFactory, which defaults both to unlimited. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS:3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-reachable abuse against any deployment exposing WebSockets.

Denial Of Service Daphne
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Header injection via parser differential in daphne before 4.2.2 allows unauthenticated remote attackers to smuggle synthetic headers into the ASGI scope received by Django applications during WebSocket handshake processing. The root cause is that Twisted (which daphne uses to parse inbound HTTP) ignores six specific Unicode bytes as line separators, while autobahn (which daphne feeds for WebSocket negotiation) calls Python's str.splitlines() and recognizes them - causing a single header value to be split into multiple injected header lines. No public exploit has been identified at time of analysis, and CVSS scores this at 3.7 (Low) due to high attack complexity, though real-world severity scales with how heavily the downstream application trusts ASGI-scope headers for security decisions.

Code Injection Request Smuggling Daphne +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Django Daphne before 4.2.2 allows unauthenticated remote attackers to exhaust server memory by sending oversized WebSocket frames or messages. The flaw stems from Daphne failing to forward maxFramePayloadSize and maxMessagePayloadSize limits to the underlying Autobahn WebSocketServerFactory, which defaults both to unlimited. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS:3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-reachable abuse against any deployment exposing WebSockets.

Denial Of Service Daphne
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy