Source: python-daphne Version: 4.2.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for python-daphne. CVE-2026-44545[0]: | daphne before 4.2.2 did not pass maxFramePayloadSize or | maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because | Autobahn defaults both values to 0 (unlimited), an unauthenticated | remote attacker could send arbitrarily large WebSocket messages or | frames, causing excessive memory consumption and a denial of | service. CVE-2026-44546[1]: | daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's | parsed headers and feeds it to autobahn for WebSocket handshake | processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or | \x85 as header line separators, but autobahn decodes header values | to str and calls splitlines(). An attacker can exploit this parser | differential to inject additional headers into the ASGI scope passed | to the application. daphne now rejects requests with these bytes in | any header value with a 400 response. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44545 https://www.cve.org/CVERecord?id=CVE-2026-44545 [1] https://security-tracker.debian.org/tracker/CVE-2026-44546 https://www.cve.org/CVERecord?id=CVE-2026-44546 Regards, Salvatore
