CVE-2025-13473

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Django versions prior to 6.0.2 Django versions prior to 5.2.11 Django versions prior to 4.2.28 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier

Description The django.contrib.auth.handlers.modwsgi.check password() function, used for authentication via mod wsgi, is susceptible to a timing attack. This allows remote attackers to potentially enumerate users. Earlier, unsupported Django series, including versions 5.0.x, 4.1.x, and 3.2.x, may also be affected.

Recommendations Update to Django version 6.0.2 or later. Update to Django version 5.2.11 or later. Update to Django version 4.2.28 or later. Update to a supported Django version to address potential issues in earlier, unsupported series.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-208

Related Identifiers

BDU:2026-03464

BIT-DJANGO-2025-13473

CVE-2025-13473

GHSA-2MCM-79HX-8FXW

MGASA-2026-0032

OESA-2026-1307

OESA-2026-1308

OESA-2026-1309

OESA-2026-1343

OESA-2026-1344

OESA-2026-1507

OPENSUSE-SU-2026:10145-1

OPENSUSE-SU-2026:10160-1

OPENSUSE-SU-2026:10247-1

OPENSUSE-SU-2026:20184-1

PYSEC-2026-42

SUSE-SU-2026:0440-1

USN-8009-1

Affected Products

Django

Linuxmint

Red Os

Ubuntu

CVE-2025-13473

Weakness Enumeration

Related Identifiers

Affected Products

References · 68