CVE-2026-25673Uncontrolled Resource Consumption in Django

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling7 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 54.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedMar 3

Description

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5djangoproject/django6.06.0.3+2
NVDdjangoproject/django4.2.04.2.29+2
PyPIdjangoproject/django6.06.0.3+2

Patches

Patch: docs.djangoproject.comPatch: www.djangoproject.com

🔴Vulnerability Details

3
CVEList
Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows2026-03-03
GHSA
Django vulnerable to Uncontrolled Resource Consumption2026-03-03
OSV
Django vulnerable to Uncontrolled Resource Consumption2026-03-03

📋Vendor Advisories

2
Red Hat
django: Django: Denial of Service via slow URL normalization on Windows2026-03-03
Debian
CVE-2026-25673: python-django - An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-25673 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-25673 — Uncontrolled Resource Consumption | cvebase