Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3426417 by sy2n0
Reporter: Jiyong Yang / BAEKSEOK University
Target: Django (current main, affects all versions with ASGI support)
Type: Denial of Service (CPU exhaustion)
django.core.handlers.asgi.ASGIRequest builds the META dictionary by iterating over the ASGI scope["headers"] array. Whenever the same header name appears multiple times (which is legal in HTTP/2 and HTTP/3), the code concatenates the previous value and the new chunk via value = existing + "," + new. Because Python strings are immutable, each concatenation copies the entire accumulated value. If an attacker repeats a header n times, the loop performs 1 + 2 + … + n = Θ(n²) bytes of copying before the request even reaches view code. A single request with a few thousand duplicated headers therefore ties up the worker CPU and creates a denial-of-service condition on any Django ASGI deployment.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3601655 by smlee
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3168691 by joejoe5
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3287208 by hellokbit
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In