CVE-2026-25673:

Overview

A significant security vulnerability has been identified in multiple supported versions of the Django web framework. This flaw allows a remote attacker to severely degrade or crash a web application by sending specially crafted web addresses (URLs).

Vulnerability Details

The vulnerability exists in the function Django uses to process and validate URL data from user input. On servers running the Windows operating system, this function uses a system library that performs a specific type of Unicode text normalization (NFKC). For certain, deliberately chosen Unicode characters, this normalization process becomes extremely slow and computationally expensive.

An attacker can exploit this by sending a large number of HTTP requests containing these problematic characters in the URL. The server will then waste immense amounts of CPU time trying to process them, leaving no resources available to handle legitimate user traffic. This is known as a Denial-of-Service (DoS) attack.

Affected Versions

The following supported Django series are confirmed to be vulnerable:

• Django 6.0.x before version 6.0.3
• Django 5.2.x before version 5.2.12
• Django 4.2.x before version 4.2.29

Important Note: Earlier, unsupported series (such as 5.0.x, 4.1.x, and 3.2.x) were not officially evaluated but may also be affected. If you are running an unsupported version, you should upgrade to a patched, supported release immediately.

Potential Impact

This vulnerability is rated as HIGH severity (CVSS score: 7.5). Successful exploitation can lead to:

• Complete Service Outage: The web application becomes unresponsive to all users.
• Severe Performance Degradation: The application becomes extremely slow, disrupting business operations.
• Resource Exhaustion: Server CPU usage is maxed out, which can impact other services on the same host and incur significant cloud computing costs.

Remediation and Mitigation

The primary and most effective action is to upgrade your Django installation immediately.

1. Immediate Patching: Upgrade to a patched version of Django as soon as possible.

• Upgrade to Django 6.0.3 or later
• Upgrade to Django 5.2.12 or later
• Upgrade to Django 4.2.29 or later

You can typically upgrade using your package manager, for example: pip install --upgrade django

2. For Unsupported Versions: If you are running an unsupported series (e.g., 4.1, 3.2), you must plan and execute an upgrade to a supported, patched version. Continuing to run unsupported software poses a critical security risk.

3. Interim Mitigation (if patching is delayed): While not a substitute for patching, you can deploy a Web Application Firewall (WAF) in front of your Django application. Configure it to block or rate-limit HTTP requests containing a high percentage of Unicode characters in the URL path or query parameters. This can help blunt an attack but may not stop all vectors.

Acknowledgement: Django credits Seokchan Yoon for responsibly reporting this issue.