{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/granian/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["granian"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","websocket","granian"],"_cs_type":"advisory","_cs_vendors":["emmett-framework"],"content_html":"\u003cp\u003eGranian, a Python ASGI server, is susceptible to a denial-of-service (DoS) attack affecting versions 1.2.0 through 2.7.3. This vulnerability allows an unauthenticated attacker to crash a worker process by sending a crafted WebSocket upgrade request. The malicious request includes a \u003ccode\u003eSec-WebSocket-Protocol\u003c/code\u003e header containing non-ASCII bytes. This triggers a panic within Granian\u0026rsquo;s WebSocket scope construction path before the application code is reached. The vulnerability was reported in GHSA-vrg7-482j-p6f6 and assigned CVE-2026-42544. Successful exploitation leads to worker termination, and repeated attacks can bring the entire service offline. This vulnerability highlights the importance of input validation, even in areas seemingly unrelated to application logic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the Granian server, attempting to establish a WebSocket connection.\u003c/li\u003e\n\u003cli\u003eThe request includes standard WebSocket headers such as \u003ccode\u003eUpgrade: websocket\u003c/code\u003e, \u003ccode\u003eConnection: Upgrade\u003c/code\u003e, \u003ccode\u003eSec-WebSocket-Key\u003c/code\u003e, and \u003ccode\u003eSec-WebSocket-Version\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the \u003ccode\u003eSec-WebSocket-Protocol\u003c/code\u003e header to include non-ASCII characters (e.g., \u003ccode\u003e\\x80\\xff\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eGranian\u0026rsquo;s \u003ccode\u003easgi/utils.rs\u003c/code\u003e code attempts to convert the \u003ccode\u003eSec-WebSocket-Protocol\u003c/code\u003e header value to a string.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eHeaderValue::to_str()\u003c/code\u003e function encounters the non-ASCII bytes and returns an error.\u003c/li\u003e\n\u003cli\u003eThe code uses \u003ccode\u003e.unwrap()\u003c/code\u003e on the result, which causes a panic due to the error.\u003c/li\u003e\n\u003cli\u003eGranian, configured to abort on panic, terminates the worker process.\u003c/li\u003e\n\u003cli\u003eThe service becomes unavailable as workers are repeatedly crashed.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in a denial-of-service condition. An unauthenticated attacker can remotely crash Granian worker processes by sending a single, specially crafted WebSocket request. The application logic is never reached, making application-level authentication ineffective as a mitigation. Repeated requests across multiple workers can lead to complete service outage. This vulnerability affects Granian servers running versions 1.2.0 through 2.7.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Granian to version 2.7.4 or later to patch CVE-2026-42544.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Granian WebSocket Subprotocol DoS Attempt\u003c/code\u003e to identify attempts to exploit this vulnerability by detecting non-ASCII characters in the \u003ccode\u003eSec-WebSocket-Protocol\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP requests, which are required for the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-granian-dos/","summary":"Granian versions 1.2.0 through 2.7.3 are vulnerable to an unauthenticated denial of service. Sending a WebSocket upgrade request with a `Sec-WebSocket-Protocol` header containing non-ASCII bytes causes a worker process to abort, leading to a denial of service.","title":"Granian WebSocket Subprotocol Header Denial of Service","url":"https://feed.craftedsignal.io/briefs/2024-01-09-granian-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Granian","version":"https://jsonfeed.org/version/1.1"}