Description
Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/emmett-framework/granian/security/advisories/GHSA-f5p7-9fr5-8jmj
Scores
CVSS v3
5.9
EPSS
0.0005
EPSS Percentile
16.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-248
CWE-755
Status
published
Products (2)
emmett-framework/granian
>= 0.2.0, < 2.7.4
pypi/granian
0.2.0 - 2.7.4PyPI
Published
May 12, 2026
Tracked Since
May 13, 2026