Description
Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4.
Published: 2026-05-12
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Granian, a Rust HTTP server for Python WSGI applications, terminates worker processes when the application returns a malformed HTTP header name or value. The server’s header conversion path unwraps both the header name and value, causing a panic on invalid data. One or more workers are aborted, resulting in a temporary denial of service until the server is restarted or affected workers are re‑spun. This flaw is a classic example of an unhandled panic leading to process termination (CWE‑248 and CWE‑755).

Affected Systems

The vulnerability affects emmett-framework’s Granian versions 0.2.0 through 2.7.3 inclusive. Version 2.7.4 and later contain the fix and are not susceptible to this issue.

Risk and Exploitability

The CVSS score of 5.9 places the flaw in the medium severity range. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker must be able to influence the WSGI application’s output—typically by sending crafted HTTP requests that cause the application to produce malformed header names or values. Once such input is processed, the server unwraps the invalid data, panics, and aborts the worker, which can be observed as a service interruption. The exploit does not require privileged access and can be performed remotely by triggering malformed HTTP responses via the application.

Generated by OpenCVE AI on May 13, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Granian to version 2.7.4 or later to apply the vendor‑supplied fix.
  • If an upgrade is not immediately possible, modify the WSGI application to validate or sanitize all HTTP response header names and values before they are sent to Granian, ensuring they conform to the RFC requirements and contain no invalid characters.
  • Deploy a reverse proxy or load balancer that inspects outbound headers and removes or corrects any malformed entries before they reach Granian, providing an additional safety layer while the underlying code is updated.

Generated by OpenCVE AI on May 13, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f5p7-9fr5-8jmj Granian vulnerable to DoS via WSGI response header panic
History

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4.
Title Granian: DoS via WSGI response header panic
Weaknesses CWE-248
CWE-755
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:51:47.473Z

Reserved: 2026-04-28T16:56:50.191Z

Link: CVE-2026-42545

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:34.600

Modified: 2026-05-12T22:16:34.600

Link: CVE-2026-42545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:15:27Z

Weaknesses