CVE-2026-42545: Granian vulnerable to DoS via WSGI response header panic

May 6, 2026

Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error.

This issue requires a buggy or attacker-influenced WSGI application to emit invalid headers. It is not a parser bug in Granian’s request path. The security impact is that application mistakes which should result in a 500 instead kill the worker process.

References

github.com/advisories/GHSA-f5p7-9fr5-8jmj
github.com/emmett-framework/granian
github.com/emmett-framework/granian/security/advisories/GHSA-f5p7-9fr5-8jmj
nvd.nist.gov/vuln/detail/CVE-2026-42545

Code Behaviors & Features

Detect and mitigate CVE-2026-42545 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →