PT-2026-22741 · Django+1 · Django+1
Natalia Bidart
+1
·
Published
2026-03-03
·
Updated
2026-05-13
·
CVE-2026-25673
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Django versions 6.0 through 6.0.2
Django versions 5.2 through 5.2.11
Django versions 4.2 through 4.2.28
Django versions 5.0.x and earlier
Django versions 4.1.x and earlier
Django versions 3.2.x and earlier
Description
The
URLField.to python() function in Django calls urllib.parse.urlsplit(), which performs NFKC normalization on Windows. This normalization is disproportionately slow for certain Unicode characters, potentially allowing a remote attacker to cause a denial of service by submitting large URL inputs containing these characters.Recommendations
Update Django to version 6.0.3 or later.
Update Django to version 5.2.12 or later.
Update Django to version 4.2.29 or later.
Fix
DoS
Allocation of Resources Without Limits
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Django
Red Os