Granian HTTP Server Denial-of-Service Vulnerability via Invalid WSGI Response Headers

A denial-of-service vulnerability has been identified in Granian, a Rust HTTP server for Python applications, affecting versions 0.2.0 through 2.7.4. The issue arises when a WSGI application returns an invalid HTTP response header name or value. Granian's WSGI response handling improperly uses 'unwrap()' on header name and value constructors, leading to a process abort instead of a managed error. This vulnerability requires a WSGI application that either generates invalid headers or is manipulated to do so, causing the Granian worker process to crash.

Impact

Exploitation of this vulnerability causes the Granian worker process to abort, disrupting service and requiring a manual restart. This process crash occurs instead of a handled error, allowing application bugs to cause more significant issues by terminating the worker.

Reproduction

To reproduce this vulnerability, deploy Granian with a WSGI application that intentionally sends invalid headers. This can be done by creating a WSGI app that returns headers with names or values that violate HTTP standards, such as including spaces, carriage returns, null bytes, or other malformed data. Once the application is running, send a request that triggers the invalid header response. The worker process will crash, demonstrating the denial-of-service condition.

Remediation

Users can upgrade to Granian version 2.7.4, where this vulnerability has been fixed.