CVE-2025-26699
published 2025-03-06CVE-2025-26699: An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter…
PriorityP335high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.75%
50.2th percentile
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.20 | 4.2.20 |
| djangoproject | django | >= 4.2 < 4.2.20 | 4.2.20 |
| djangoproject | django | >= 5.0 < 5.0.13 | 5.0.13 |
| djangoproject | django | >= 5.0 < 5.0.13 | 5.0.13 |
| djangoproject | django | >= 5.1 < 5.1.7 | 5.1.7 |
| djangoproject | django | >= 5.1 < 5.1.7 | 5.1.7 |
| msrc | azl3_kernel_6.6.92.2-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kernel_5.15.182.1-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_msrc7.8HIGH
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
django: Potential denial-of-service vulnerability in django.utils.text.wrap()
vendor_redhat·2025-03-06·CVSS 5.0
CVE-2025-26699 [MEDIUM] CWE-400 django: Potential denial-of-service vulnerability in django.utils.text.wrap()
django: Potential denial-of-service vulnerability in django.utils.text.wrap()
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
A potential denial of service vulnerability exists in django.utils.text.wrap() and the wordwrap template filter. When processing extremely long strings, these functions may cause excessive resource consumption, potentially leading to service disruption.
Statement: This vulnerability is rated as a Moderate severity because it exposes the wrap() method and wordwrap template filter to a potential denial of service attack. Malicious input containing extremely long strings c
Ubuntu
Django vulnerability
vendor_ubuntu·2025-03-06
CVE-2025-26699 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to crash if it received specially crafted network
traffic.
It was discovered that Django incorrectly handled text wrapping. An
attacker could possibly use this issue to cause a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-26699: python-django - An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 b...
vendor_debian·2025·CVSS 5.0
CVE-2025-26699 [MEDIUM] CVE-2025-26699: python-django - An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 b...
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u6)
forky: resolved (fixed in 3:4.2.20-1)
sid: resolved (fixed in 3:4.2.20-1)
trixie: resolved (fixed in 3:4.2.20-1)
Microsoft
drm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr
vendor_msrc·2024-04-09·CVSS 7.8
CVE-2024-26699 [HIGH] CWE-129 drm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr
drm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
OSV
CVE-2025-26699: An issue was discovered in Django 5
osv·2025-03-06·CVSS 7.5
CVE-2025-26699 [HIGH] CVE-2025-26699: An issue was discovered in Django 5
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
GHSA
Django vulnerable to Allocation of Resources Without Limits or Throttling
ghsa·2025-03-06
CVE-2025-26699 [MEDIUM] CWE-770 Django vulnerable to Allocation of Resources Without Limits or Throttling
Django vulnerable to Allocation of Resources Without Limits or Throttling
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
OSV
Django vulnerable to Allocation of Resources Without Limits or Throttling
osv·2025-03-06
CVE-2025-26699 [MEDIUM] Django vulnerable to Allocation of Resources Without Limits or Throttling
Django vulnerable to Allocation of Resources Without Limits or Throttling
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-06
Published