CVE-2026-44546

Vulnerability

Daphne versions before 4.2.2 are affected by a vulnerability where the server reconstructs raw HTTP requests from parsed headers and passes them to Autobahn for WebSocket handshake processing. Twisted, a dependency, does not recognize certain bytes (\x0b, \x0c, \x1c, \x1d, \x1e, or \x85) as header line separators. However, Autobahn decodes header values to strings and uses splitlines(), creating a parser differential that allows an attacker to inject additional headers into the ASGI scope provided to the application.

Exploitation

An attacker can exploit this parser differential by sending specially crafted HTTP requests containing specific non-standard bytes within header values. These bytes are not treated as line separators by Twisted but are processed as such by Autobahn. This allows the attacker to inject arbitrary headers into the ASGI scope, which is then passed to the downstream application.

Impact

Successful exploitation allows an attacker to inject additional headers into the ASGI scope. The exact impact of these injected headers depends on how the application handles them, but it could potentially lead to unexpected behavior or security bypasses. Daphne now rejects requests with these bytes in any header value by returning a 400 Bad Request response.

Mitigation

Daphne version 4.2.2 and later have been released to address this vulnerability. The fix involves rejecting requests that contain the problematic bytes in any header value with a 400 response. Users are advised to upgrade to Daphne 4.2.2 or a later version. The release date for version 4.2.2 is not explicitly mentioned in the provided changelog [1].