Daphne Header Injection Vulnerability in WebSocket Handshake Processing

A header injection vulnerability has been identified in Daphne versions prior to 4.2.2. The issue arises during the WebSocket handshake process, where Daphne reconstructs a raw HTTP request from Twisted's parsed headers. Twisted does not recognize certain byte sequences as header line separators, but Autobahn, which handles WebSocket handshakes, does. This discrepancy allows an attacker to inject additional headers into the ASGI scope passed to the application by exploiting the way headers are parsed and interpreted. Vulnerable header values could include authentication tokens and other sensitive information.

Impact

Exploitation of this vulnerability allows for header injection during the WebSocket handshake, potentially leading to the injection of additional headers into the ASGI scope, where they could be accessed by the application.

Remediation

Users can update to Daphne version 4.2.2 or later, which addresses the vulnerability by rejecting requests with the problematic byte sequences in header values and responding with a 400 Bad Request.