View all Vulnerabilities

CVE-2025-13473

Information Exposure
Affects
Django
in
Django
No items found.
Versions
<=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

An information exposure vulnerability (CVE-2025-13473) has been identified in Django, where the django.contrib.auth.handlers.modwsgi.check_password() function for authentication via mod_wsgi allows remote attackers to enumerate users through a timing attack. This issue may enable attackers to distinguish valid usernames from invalid ones based on authentication response timing.

Per OWASP: Information exposure for authentication failures occur when an application does not properly protect authentication mechanisms, allowing attackers to compromise or infer user identity information. When authentication behavior differs based on whether an account exists, an attacker may be able to enumerate valid users and use that information to support further attacks such as credential stuffing, brute force attempts, or targeted phishing.

Details

Module Info

Vulnerability Info

This Low-severity vulnerability is found in the contrib package in all published versions of Django.

Normally, Django’s authentication framework is designed to process login attempts in a consistent manner, ensuring that authentication responses don’t reveal whether a submitted username is valid. In particular, password verification routines are intended to minimize observable differences in processing behavior that could disclose sensitive account information to remote attackers.

However, due to improper handling of authentication timing in the django.contrib.auth.handlers.modwsgi.check_password() function, an attacker can measure subtle differences in response times during authentication attempts to determine whether specific usernames exist within the application. This behavior may allow attackers to enumerate valid user accounts and use that information to facilitate further attacks such as credential stuffing or targeted brute-force attempts.

This issue arises from insufficient normalization of authentication processing times in Django’s mod_wsgi authentication flow, enabling attackers to leverage timing discrepancies to infer information that should otherwise remain protected during user authentication.

Mitigation

Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Django.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Stackered (finder)

Pink arrow
Pink arrow
CVE-2026-1287
CVE-2026-1312
CVE-2026-3902
CVE-2026-4277
CVE-2026-4292
CVE-2026-25673
CVE-2026-25674
CVE-2026-33033
CVE-2026-33034
CVE-2026-1285
CVE-2026-1207
CVE-2025-14550
CVE-2025-13473
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2025-13473
PROJECT Affected
Django
Versions Affected
<=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
NES Versions Affected
Published date
June 2, 2026
≈ Fix date
April 29, 2026
Fixed in
NES for Django
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Django
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.