View all Vulnerabilities

CVE-2026-25673

Denial of Service
Affects
Django
in
Django
No items found.
Versions
<=3.2.25, <=4.2.28, <=5.2.11, <=6.0.2
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

A denial-of-service vulnerability (CVE-2026-25673) has been identified in Django, where the URLField.to_python() method could be exploited through specially crafted large inputs containing certain Unicode characters. This issue stems from Django’s use of Python’s urlsplit() function for URL scheme detection, which performs expensive Unicode NFKC normalization on Windows platforms. This improper handling of maliciously crafted input may allow attackers to trigger disproportionate processing overhead, potentially resulting in excessive resource consumption and service degradation within affected Django applications.

Per OWASP: Denial-of-Service (DoS) vulnerabilities occur when an application can be forced to consume excessive resources, preventing legitimate users from accessing the service. Resource exhaustion attacks commonly target memory, CPU, storage, or network bandwidth by exploiting weaknesses in how applications process untrusted input.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the forms package in all published versions of Django.

Normally, Django’s form handling framework is designed to safely process and normalize user-supplied URL input before performing validation or application logic. In particular, the URLField.to_python() method is intended to efficiently detect and normalize URL schemes without allowing malformed or excessively large input values to negatively impact application performance.

However, due to Django’s reliance on Python’s urlsplit() function for scheme detection, an attacker can submit specially crafted large inputs containing certain Unicode characters that trigger expensive Unicode NFKC normalization on Windows platforms. This behavior may cause disproportionate processing overhead during URL parsing, potentially resulting in excessive CPU consumption and denial-of-service conditions within affected Django applications.

This issue arises from inefficient handling of Unicode normalization during URL scheme detection in Django’s URLField.to_python() implementation, enabling attackers to exploit computationally expensive parsing behavior through specially crafted URL input values.

Mitigation

Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Django.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Seokchan Yoon (finder)

Pink arrow
Pink arrow
CVE-2026-1287
CVE-2026-1312
CVE-2026-3902
CVE-2026-4277
CVE-2026-4292
CVE-2026-25673
CVE-2026-25674
CVE-2026-33033
CVE-2026-33034
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-25673
PROJECT Affected
Django
Versions Affected
<=3.2.25, <=4.2.28, <=5.2.11, <=6.0.2
NES Versions Affected
Published date
June 2, 2026
≈ Fix date
April 29, 2026
Fixed in
NES for Django
Category
Denial of Service
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Django
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.