View all Vulnerabilities

CVE-2026-33034

Denial of Service
Affects
Django
in
Django
No items found.
Versions
<=3.2.25, <=4.2.29, <=5.2.13, <=6.0.4
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.

A denial-of-service vulnerability (CVE-2026-33034) has been identified in Django, which allows attackers to bypass configured memory upload limits by sending specially crafted ASGI requests with a missing or understated Content-Length header. This improper validation of request body size restrictions can cause Django to load unbounded request data into memory, potentially resulting in excessive resource consumption and service degradation or application crashes.

Per OWASP: Denial-of-Service (DoS) vulnerabilities occur when an application can be forced to consume excessive resources, preventing legitimate users from accessing the service. Resource exhaustion attacks commonly target memory, CPU, storage, or network bandwidth by exploiting weaknesses in how applications process untrusted input.

Details

Module Info

Vulnerability Info

This High-severity vulnerability is found in the http package in all published versions of Django.

Normally, Django enforces upload size restrictions through the DATA_UPLOAD_MAX_MEMORY_SIZE setting, which helps protect applications from excessive memory consumption by limiting the amount of request body data processed in memory. In particular, Django relies on the Content-Length header to determine whether incoming request data exceeds configured upload thresholds before fully processing the request.

However, due to improper handling of specially crafted ASGI requests, an attacker can send requests with a missing or understated Content-Length header that bypass Django’s upload size validation checks. This bypass allows oversized request bodies to be loaded into memory despite configured safeguards, potentially leading to excessive memory usage and denial-of-service conditions within affected applications.

This issue arises from insufficient validation of request body size metadata during ASGI request processing, enabling attackers to manipulate request headers and force applications to allocate more memory resources than intended while handling malicious requests.

Mitigation

Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Django.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Superior (finder)

Pink arrow
Pink arrow
CVE-2026-1287
CVE-2026-1312
CVE-2026-3902
CVE-2026-4277
CVE-2026-4292
CVE-2026-25673
CVE-2026-25674
CVE-2026-33033
CVE-2026-33034
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-33034
PROJECT Affected
Django
Versions Affected
<=3.2.25, <=4.2.29, <=5.2.13, <=6.0.4
NES Versions Affected
Published date
June 2, 2026
≈ Fix date
April 29, 2026
Fixed in
NES for Django
Category
Denial of Service
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Django
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.