CVE-2020-35681 – CVE-2020-35681 is an information disclosure vul... (How to Fix)

Q: How do I fix CVE-2020-35681?

1. Update Django Channels to version 3.0.3 or later using pip: 'pip install channels>=3.0.3'. 2. Restart your ASGI server/application. 3. Verify the update with 'pip show channels'.

Q: What is the severity of CVE-2020-35681?

CVE-2020-35681 has a CVSS score of 7.4 (HIGH). CVE-2020-35681 is an information disclosure vulnerability in Django Channels 3.x where the legacy channels.http.AsgiHandler class incorrectly separates request scopes in ASGI environments. This allows attackers to potentially receive responses intended for other clients, leading to leakage of session identifiers and sensitive data. Only applications using Django Channels' legacy HTTP handler class (not Django's native ASGIHandler) are affected.

📋 TL;DR

CVE-2020-35681 is an information disclosure vulnerability in Django Channels 3.x where the legacy channels.http.AsgiHandler class incorrectly separates request scopes in ASGI environments. This allows attackers to potentially receive responses intended for other clients, leading to leakage of session identifiers and sensitive data. Only applications using Django Channels' legacy HTTP handler class (not Django's native ASGIHandler) are affected.

💻 Affected Systems

Products:

Django Channels

Versions: 3.x before 3.0.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the legacy channels.http.AsgiHandler class (typically Django <3.0 applications running on Channels). Does not affect Django's native ASGIHandler available from Django 3.0.

📦 What is this software?

Channels by Djangoproject

View all CVEs affecting Channels →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain session tokens, authentication credentials, or other sensitive data from other users, leading to account takeover and data breaches.

🟠

Likely Case

Intermittent leakage of session identifiers or user-specific data to unauthorized parties, potentially enabling session hijacking.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential data exposure within the affected application scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires precise timing and multiple concurrent requests, making it somewhat difficult but feasible for determined attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.3

Vendor Advisory: https://channels.readthedocs.io/en/stable/releases/3.0.3.html

Restart Required: Yes

Instructions:

1. Update Django Channels to version 3.0.3 or later using pip: 'pip install channels>=3.0.3'. 2. Restart your ASGI server/application. 3. Verify the update with 'pip show channels'.

🔧 Temporary Workarounds

Migrate to Django 3.0+ ASGIHandler

all

Replace channels.http.AsgiHandler with Django's native ASGIHandler if using Django 3.0 or later

Disable legacy HTTP handler

all

Remove or disable usage of channels.http.AsgiHandler in your ASGI configuration

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected applications
Deploy web application firewall (WAF) rules to detect and block suspicious request patterns

🔍 How to Verify

Check if Vulnerable:

Check if using Django Channels <3.0.3 with channels.http.AsgiHandler in your ASGI configuration

Check Version:

pip show channels | grep Version

Verify Fix Applied:

Confirm Django Channels version is 3.0.3 or higher and verify channels.http.AsgiHandler is not in use

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes, mismatched request-response pairs in logs, unusual timing patterns in HTTP requests

Network Indicators:

Multiple concurrent requests from same source with precise timing, unusual response sizes or content mismatches

SIEM Query:

web_server_logs WHERE (status_code >= 500) AND (request_count > threshold) OR (response_time_variation > threshold)

📊 Metadata

CVE ID: CVE-2020-35681

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-200

Published: February 22, 2021

Last Updated: November 21, 2024

🔗 References

https://channels.readthedocs.io/en/stable/releases/3.0.3.html Exploit,Vendor Advisory
https://channels.readthedocs.io/en/stable/releases/index.html Release Notes,Vendor Advisory
https://github.com/django/channels/releases Third Party Advisory
https://channels.readthedocs.io/en/stable/releases/3.0.3.html Exploit,Vendor Advisory
https://channels.readthedocs.io/en/stable/releases/index.html Release Notes,Vendor Advisory
https://github.com/django/channels/releases Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35681, you might also want to check these: