View all Vulnerabilities

CVE-2025-14550

Denial of Service
Affects
Django
in
Django
No items found.
Versions
<=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

A denial-of-service vulnerability (CVE-2025-14550) has been identified in Django, where the ASGIRequest handler allows remote attackers to trigger excessive resource consumption through specially crafted requests containing multiple duplicate headers. This improper handling of repeated headers can result in super-linear computation during request processing, potentially causing service degradation or application outages within affected Django applications.

Per OWASP: Denial-of-Service (DoS) vulnerabilities occur when an application can be forced to consume excessive resources, preventing legitimate users from accessing the service. Resource exhaustion attacks commonly target memory, CPU, storage, or network bandwidth by exploiting weaknesses in how applications process untrusted input.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the core package in all published versions of Django.

Normally, Django’s ASGI request handling framework is designed to efficiently process HTTP headers while maintaining predictable resource usage during request parsing. In particular, header parsing routines are intended to safely handle incoming request metadata without allowing malformed or repetitive input to significantly impact application performance.

However, due to improper handling of requests containing large numbers of duplicate headers, an attacker can submit specially crafted requests that trigger excessive computational overhead during header processing. This behavior may cause Django applications to consume disproportionate CPU and memory resources while parsing malicious requests, potentially resulting in service degradation or denial-of-service conditions.

This issue arises from inefficient processing of repeated request headers within Django’s ASGI request handling flow, enabling attackers to exploit algorithmic complexity and force applications to spend excessive time processing malformed input.

Mitigation

Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Django.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Jiyong Yang (finder)

Pink arrow
Pink arrow
CVE-2026-1287
CVE-2026-1312
CVE-2026-3902
CVE-2026-4277
CVE-2026-4292
CVE-2026-25673
CVE-2026-25674
CVE-2026-33033
CVE-2026-33034
CVE-2026-1285
CVE-2026-1207
CVE-2025-14550
CVE-2025-13473
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2025-14550
PROJECT Affected
Django
Versions Affected
<=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
NES Versions Affected
Published date
June 2, 2026
≈ Fix date
April 29, 2026
Fixed in
NES for Django
Category
Denial of Service
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Django
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.