cbcvebase.
CVE-2025-64460
published 2025-12-02

CVE-2025-64460: An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in…

PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.11%
79.4th percentile
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:3.2.25-0+deb12u1 (bookworm)python-django 3:3.2.25-0+deb12u1 (bookworm)
djangoprojectdjango>= 4.2 < 4.2.274.2.27
djangoprojectdjango>= 4.2a1 < 4.2.274.2.27
djangoprojectdjango>= 5.1 < 5.1.155.1.15
djangoprojectdjango>= 5.1a1 < 5.1.155.1.15
djangoprojectdjango>= 5.2 < 5.2.95.2.9
djangoprojectdjango>= 5.2a1 < 5.2.95.2.9

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.