CVE-2025-13473

CWE-20810 documents8 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 89.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedFeb 3

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages6 packages

▶PyPIDjango6.0a1 — 6.0.2+2

▶PyPIdjango6.0a1 — 6.0.2+2

▶CVEListV5djangoproject/django6.0 — 6.0.2+2

▶NVDdjangoproject/django4.2 — 4.2.28+2

▶Debianpython-django< 2:2.2.28-1~deb11u12+3

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

CVEList

Username enumeration through timing difference in mod_wsgi authentication handler↗2026-02-03

▶

GHSA

Django has Observable Timing Discrepancy↗2026-02-03

▶

OSV

python-django vulnerabilities↗2026-02-03

▶

OSV

Django has Observable Timing Discrepancy↗2026-02-03

▶

OSV

CVE-2025-13473: An issue was discovered in 6↗2026-02-03

▶

📋Vendor Advisories

Red Hat

Django: Django: User enumeration via timing attack in mod_wsgi authentication↗2026-02-03

▶

Ubuntu

Django vulnerabilities↗2026-02-03

▶

Debian

CVE-2025-13473: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-13473 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶