CVE-2025-24370

Name of the Vulnerable Software and Affected Versions Django-Unicorn versions prior to 0.62.0

Description The vulnerability arises from the core functionality set property value, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of the second and third parameters to the vulnerable function, leading to arbitrary changes to the python runtime status. This issue can result in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application. At least five ways of vulnerability exploitation have been observed.

Recommendations To resolve the issue, upgrade to version 0.62.0 or later. As a temporary workaround, consider blocking paths that start with to prevent access to double under (dunder) or magic variables/methods. Additionally, setting a blacklist for restricted paths, such as RESTRICTED KEYS = (" globals ", " builtins "), can help mitigate the vulnerability.