AIKIDO-2026-10159
asgiref is vulnerable to Inefficient Algorithmic Complexity
46
Medium Risk
This Affects:
asgirefTL;DR
Affected versions of this package allowed a potential Denial of Service (DoS) via the asgiref.wsgi.WsgiToAsgi adapter, where malicious requests containing an excessive number of duplicated HTTP headers could trigger resource exhaustion during WSGI environment construction. An attacker could exploit this by sending crafted requests with thousands of repeated header fields, causing high CPU and memory usage and degrading or crashing the service. The issue is mitigated by a more efficient algorithm and an optional duplicate_header_limit (default: 100) that rejects malformed requests exceeding the limit, unless explicitly disabled.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
asgiref is vulnerable to Inefficient Algorithmic Complexity in versions 3.0.0 - 3.11.0.
How to fix this
Upgrade the asgiref library to the patch version.
Links
github.com/django/asgiref/blob/main/CHANGELOG.txt
docs.djangoproject.com/en/dev/releases/security/groups.google.com/g/django-announcedjangoproject.com/weblog/2026/feb/03/security-releases/
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant