ASGIRequest header concatenation quadratic CPU DoS

Reporter: Jiyong Yang / BAEKSEOK University Target: Django (current main, affects all versions with ASGI support)
Type: Denial of Service (CPU exhaustion)

Summary

django.core.handlers.asgi.ASGIRequest builds the META dictionary by iterating over the ASGI scope["headers"] array. Whenever the same header name appears multiple times (which is legal in HTTP/2 and HTTP/3), the code concatenates the previous value and the new chunk via value = existing + "," + new. Because Python strings are immutable, each concatenation copies the entire accumulated value. If an attacker repeats a header n times, the loop performs 1 + 2 + … + n = Θ(n²) bytes of copying before the request even reaches view code. A single request with a few thousand duplicated headers therefore ties up the worker CPU and creates a denial-of-service condition on any Django ASGI deployment.