Granian WebSocket Protocol Header Handling Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Granian, a Rust HTTP server for Python applications, affecting versions 1.2.0 through 2.7.4. The issue arises when an unauthenticated client sends a WebSocket upgrade request with non-ASCII bytes in the Sec-WebSocket-Protocol header. This causes Granian to abort the worker process during WebSocket scope construction, before the ASGI application is invoked. The vulnerability can be exploited by sending a single crafted request, which crashes one worker. However, repeating the request across multiple workers can take the service offline.

Impact

Exploitation of this vulnerability leads to a crash of the worker process handling the WebSocket request, causing a denial-of-service condition. In release builds of Granian, this panic is not handled gracefully, resulting in the worker terminating unexpectedly. This issue can be amplified by sending repeated requests across different workers, causing a more widespread service disruption.

Reproduction

To reproduce this vulnerability, start a Granian ASGI server with a simple WebSocket application. Then, send a raw WebSocket upgrade request that includes non-ASCII bytes in the Sec-WebSocket-Protocol header. The server will crash, and the worker process will be terminated, leading to a denial-of-service condition.

Remediation

Users can upgrade to Granian version 2.7.4, where this vulnerability has been fixed.