CVE-2026-44546: CWE-444 (Inconsistent Interpretation of HTTP Requests -- "HTTP Request/Response Smuggling") in djangoproject daphne
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.
AI Analysis
Technical Summary
Daphne versions prior to 4.2.2 reconstruct raw HTTP requests from Twisted's parsed headers and pass them to autobahn for WebSocket handshake processing. Twisted does not recognize certain control characters (\x0b, \x0c, \x1c, \x1d, \x1e, \x85) as header line separators, while autobahn decodes header values to strings and splits lines, treating these characters as separators. This mismatch allows an attacker to exploit the parser differential to inject additional headers into the ASGI scope, potentially affecting application behavior. Daphne 4.2.2 mitigates this by rejecting requests with these bytes in any header value, returning a 400 error.
Potential Impact
The vulnerability allows injection of additional headers into the ASGI scope due to inconsistent parsing of HTTP headers, which may lead to unexpected application behavior. The CVSS score of 3.7 indicates low severity with limited confidentiality impact and no integrity or availability impact. There are no known exploits in the wild.
Mitigation Recommendations
A fix is available in daphne version 4.2.2, which rejects requests containing the problematic control characters in header values with a 400 response. Users should upgrade to daphne 4.2.2 or later to remediate this vulnerability. Patch status is not explicitly confirmed in the provided data, but the description states the issue is fixed in 4.2.2. No additional mitigations are indicated.
CVE-2026-44546: CWE-444 (Inconsistent Interpretation of HTTP Requests -- "HTTP Request/Response Smuggling") in djangoproject daphne
Description
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.
CVSS v3.1
Score 3.7low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Daphne versions prior to 4.2.2 reconstruct raw HTTP requests from Twisted's parsed headers and pass them to autobahn for WebSocket handshake processing. Twisted does not recognize certain control characters (\x0b, \x0c, \x1c, \x1d, \x1e, \x85) as header line separators, while autobahn decodes header values to strings and splits lines, treating these characters as separators. This mismatch allows an attacker to exploit the parser differential to inject additional headers into the ASGI scope, potentially affecting application behavior. Daphne 4.2.2 mitigates this by rejecting requests with these bytes in any header value, returning a 400 error.
Potential Impact
The vulnerability allows injection of additional headers into the ASGI scope due to inconsistent parsing of HTTP headers, which may lead to unexpected application behavior. The CVSS score of 3.7 indicates low severity with limited confidentiality impact and no integrity or availability impact. There are no known exploits in the wild.
Mitigation Recommendations
A fix is available in daphne version 4.2.2, which rejects requests containing the problematic control characters in header values with a 400 response. Users should upgrade to daphne 4.2.2 or later to remediate this vulnerability. Patch status is not explicitly confirmed in the provided data, but the description states the issue is fixed in 4.2.2. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- DSF
- Date Reserved
- 2026-05-06T20:29:54.084Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2037c3e29bf47b50c14db2
Added to database: 6/3/2026, 2:18:43 PM
Last enriched: 6/3/2026, 2:48:54 PM
Last updated: 6/4/2026, 5:00:36 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.