daphne before version 4.2.2 reconstructs a raw HTTP request from Twisted’s parsed headers and passes it to autobahn for WebSocket handshake processing. Twisted does not treat specific control bytes (\x0b, \x0c, \x1c, \x1d, \x1e, \x85) as header line separators, while autobahn splits header values on line boundaries. An attacker can therefore inject additional header lines by including these bytes in a WebSocket upgrade request, causing the ASGI application to receive a forged request scope with altered headers. This flaw enables header spoofing and could lead to misrepresentation of client information, potentially undermining application logic that relies on trusted header values.

djangoproject:daphne versions earlier than 4.2.2 are affected. The 4.2.2 release explicitly rejects any request containing the listed control bytes in header values and returns a 400 Bad Request response, addressing the vulnerability.

The CVSS score of 3.7 indicates a moderate impact. The EPSS score is not available, so the current exploitation likelihood cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. The attack vector is remote over the network; an attacker only needs the ability to send a crafted WebSocket upgrade request. While the flaw does not provide direct remote code execution, it allows an attacker to inject or spoof headers, which could be leveraged if the application blindly trusts header values for authorization or other security decisions.