BIT-django-2025-26699
Denial of Service vulnerability in django (PyPI)
What is BIT-django-2025-26699 About?
An issue exists in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20 in the `django.utils.text.wrap()` method and `wordwrap` template filter. When processing very long strings, this can lead to a denial-of-service attack due to excessive resource consumption. This vulnerability is moderately easy to exploit with specific input.
Affected Software
- django
- >5.0, <5.0.13
- >4.2, <4.2.20
- >5.1, <5.1.7
Technical Details
The denial-of-service vulnerability affects Django's text processing functionalities: the django.utils.text.wrap() method and the wordwrap template filter, in versions 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. When these functions are used to process extremely long input strings, they exhibit inefficient algorithmic behavior or excessive resource consumption (e.g., CPU cycles or memory). An attacker can submit a very long string to an application endpoint that subsequently processes this input using one of the vulnerable methods, leading to the server becoming unresponsive or crashing due to resource exhaustion, thereby denying service to legitimate users.
What is the Impact of BIT-django-2025-26699?
Successful exploitation may allow attackers to cause a denial of service, leading to server unresponsiveness, excessive resource consumption, or crashes, disrupting normal application operations.
What is the Exploitability of BIT-django-2025-26699?
Exploitation requires an attacker to be able to submit very long strings to an application endpoint that uses the django.utils.text.wrap() method or the wordwrap template filter. Authentication might be required to interact with such an endpoint, depending on the application's design, but the vulnerability's impact stems from processing the malicious input. The flaw is likely exploitable remotely, given that web applications typically process user-supplied string data. The complexity is relatively low, requiring an attacker to send a sufficiently long string. The primary risk factor is any application input field (e.g., text areas, comments) that processes user-supplied text through these vulnerable Django utilities without length restrictions or proper handling of excessively long inputs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2025-26699?
Available Upgrade Options
- django
- >4.2, <4.2.20 → Upgrade to 4.2.20
- django
- >5.0, <5.0.13 → Upgrade to 5.0.13
- django
- >5.1, <5.1.7 → Upgrade to 5.1.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2025-13
- https://www.djangoproject.com/weblog/2025/mar/06/security-releases/
- https://docs.djangoproject.com/en/dev/releases/security
- https://groups.google.com/g/django-announce
- https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html
- https://www.djangoproject.com/weblog/2025/mar/06/security-releases
- https://www.djangoproject.com/weblog/2025/mar/06/security-releases/
- https://docs.djangoproject.com/en/dev/releases/security/
- https://osv.dev/vulnerability/GHSA-p3fp-8748-vqfq
- https://github.com/django/django
What are Similar Vulnerabilities to BIT-django-2025-26699?
Similar Vulnerabilities: CVE-2023-45133 , CVE-2022-31129 , CVE-2021-39144 , CVE-2020-13936 , CVE-2019-12406
