Skip to content

[Aikido] Fix security issue in asgiref via minor version upgrade from 3.8.1 to 3.11.1 #592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aikido-autofix wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Aikido] Fix security issue in asgiref via minor version upgrade from 3.8.1 to 3.11.1 #592

aikido-autofix wants to merge 1 commit into from

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Feb 12, 2026

Patch critical DoS vulnerability in WSGI adapter by limiting duplicate HTTP headers to prevent resource exhaustion attacks This update includes breaking changes that require manual migration.

⚠️ Code affected by breaking changes.

The asgiref upgrade from 3.8.1 to 3.11.1 introduces a breaking change that affects this codebase:

Breaking Change: Drops support for Python 3.8

  • Where your code is affected:

    • pyproject.toml line 47: declares python = "^3.8" as minimum version

    • pyproject.toml line 41: lists "Programming Language :: Python :: 3.8" as supported classifier

    • .github/workflows/unit-test.yml line 10: CI matrix includes Python 3.8 in test suite (python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"])

    • pyproject.toml line 88: Black formatter targets Python 3.8 (target-version = ['py38'])

  • Impact: The package declares Python 3.8 support and actively tests against it in CI, but asgiref 3.9.0+ no longer supports Python 3.8. This creates an incompatibility where users running Python 3.8 will not be able to use Django (which depends on asgiref) with this package, or the installation may fail entirely.

  • Remediation: Update the minimum Python version requirement to 3.9 in pyproject.toml, remove Python 3.8 from the CI test matrix in .github/workflows/unit-test.yml, update the Black target version to py39, and remove the Python 3.8 classifier from the package metadata.

Note: The ApplicationCommunicator testing utility change does not affect this codebase as it is not used anywhere in the code.

All breaking changes by upgrading asgiref from version 3.8.1 to 3.11.1 (CHANGELOG)

Version Description 
3.9.0
 Drops support for (end-of-life) Python 3.8. 
3.9.0
 The ApplicationCommunicator testing utility will now return the task result if it's already completed on send_input and receive_nothing. You may need to catch (e.g.) the asyncio.exceptions.CancelledError if sending messages to already finished consumers in your tests.
✅ 1 CVE resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
AIKIDO-2026-10159
 
MEDIUM
 [asgiref] A DoS vulnerability in the WSGI-to-ASGI adapter allows attackers to cause resource exhaustion by sending requests with excessive duplicated HTTP headers, potentially consuming high CPU and memory and degrading or crashing the service.
🔗 Related Tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants