Carlton Gibson

**Name of the Vulnerable Software and Affected Versions** daphne versions prior to 4.2.2 **Description** An unauthenticated remote attacker can cause excessive memory consumption and a denial of service by sending arbitrarily large WebSocket messages or frames. This occurs because `maxFramePayloadSize` and `maxMessagePayloadSize` are not passed to Autobahn's `WebSocketServerFactory` function, which defaults both values to 0, meaning they are unlimited. **Recommendations** Update to version 4.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** daphne versions prior to 4.2.2 **Description** A parser differential exists when reconstructing raw HTTP requests from Twisted's parsed headers for WebSocket handshake processing in autobahn. While Twisted does not recognize the bytes `x0b`, `x0c`, `x1c`, `x1d`, `x1e`, or `x85` as header line separators, autobahn decodes these values to strings and utilizes the `splitlines()` function. This discrepancy allows an attacker to inject additional headers into the ASGI scope passed to the application. **Recommendations** Update to version 4.2.2 or later.