CVE-2025-14550 — Inefficient Algorithmic Complexity in Django

CWE-407 — Inefficient Algorithmic Complexity CWE-167 — Improper Handling of Additional Special Element10 documents8 sources

Severity

7.5HIGHNVD

OSV5.3

EPSS

0.1%

top 80.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Asgiref Djangoproject Django

Timeline

PublishedFeb 3

Description

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5djangoproject/django6.0 — 6.0.2+2

▶NVDdjangoproject/django4.2 — 4.2.28+2

▶PyPIdjangoproject/django6.0a1 — 6.0.2+2

▶CVEListV5djangoproject/asgiref3 — 3.11.1

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

python-django vulnerabilities↗2026-02-03

▶

OSV

CVE-2025-14550: An issue was discovered in 6↗2026-02-03

▶

GHSA

Django has Inefficient Algorithmic Complexity↗2026-02-03

▶

OSV

Django has Inefficient Algorithmic Complexity↗2026-02-03

▶

CVEList

Potential denial-of-service vulnerability via repeated headers when using ASGI↗2026-02-03

▶

📋Vendor Advisories

Red Hat

Django: Django: Denial of Service via crafted request with duplicate headers↗2026-02-03

▶

Ubuntu

Django vulnerabilities↗2026-02-03

▶

Debian

CVE-2025-14550: python-django - An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-14550 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶