BIT-django-2024-56374
Denial-of-Service vulnerability in django (PyPI)
What is BIT-django-2024-56374 About?
This Django vulnerability, present in versions 5.1 prior to 5.1.5, 5.0 prior to 5.0.11, and 4.2 prior to 4.2.18, lacks an upper-bound limit enforcement for strings during IPv6 validation, leading to a potential denial-of-service attack. Exploitation is achieved by providing excessively long IPv6 strings to specific functions. This can be exploited relatively easily by providing malformed input to the affected components.
Affected Software
- django
- >5.0, <5.0.11
- >4.2, <4.2.18
- >5.1, <5.1.5
Technical Details
The vulnerability in Django versions 5.1 (before 5.1.5), 5.0 (before 5.0.11), and 4.2 (before 4.2.18) arises from the absence of upper-bound limit enforcement for strings passed during IPv6 validation. Specifically, the undocumented and private functions clean_ipv6_address and is_valid_ipv6_address, as well as the django.forms.GenericIPAddressField form field, are affected. Attackers can provide extremely long IPv6 address strings to these components. Without proper length validation, the processing of these oversized strings consumes excessive system resources (e.g., CPU cycles, memory), leading to a resource exhaustion state and ultimately a denial-of-service condition for the application.
What is the Impact of BIT-django-2024-56374?
Successful exploitation may allow attackers to cause a denial-of-service by consuming excessive system resources, making the application unresponsive to legitimate users.
What is the Exploitability of BIT-django-2024-56374?
Exploitation of this vulnerability involves providing an excessively long string to input fields or parameters that are processed by the vulnerable IPv6 validation functions (clean_ipv6_address, is_valid_ipv6_address, or django.forms.GenericIPAddressField). The complexity is low, as it primarily requires crafting a malformed input. Authentication requirements depend on whether the input field using these functions is accessible to unauthenticated users; if so, an unauthenticated remote attack is possible. No special privileges are generally required. The attack is remote if the vulnerable input is accessible over a network. Risk factors that increase likelihood include publicly exposed forms or APIs that accept IP address inputs and rely on the vulnerable Django components for validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2024-56374?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.18 → Upgrade to 4.2.18
- django
- >5.0, <5.0.11 → Upgrade to 5.0.11
- django
- >5.1, <5.1.5 → Upgrade to 5.1.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://groups.google.com/g/django-announce
- https://www.djangoproject.com/weblog/2025/jan/14/security-releases
- https://osv.dev/vulnerability/PYSEC-2025-1
- https://github.com/django/django/commit/ca2be7724e1244a4cb723de40a070f873c6e94bf
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-1.yaml
- https://www.djangoproject.com/weblog/2025/jan/14/security-releases/
- https://lists.debian.org/debian-lts-announce/2025/01/msg00024.html
- https://docs.djangoproject.com/en/dev/releases/security/
- https://www.djangoproject.com/weblog/2025/jan/14/security-releases/
- http://www.openwall.com/lists/oss-security/2025/01/14/2
What are Similar Vulnerabilities to BIT-django-2024-56374?
Similar Vulnerabilities: CVE-2023-46702 , CVE-2023-36053 , CVE-2023-34057 , CVE-2022-32230 , CVE-2022-24328
