BIT-django-2025-27556
Denial of Service vulnerability in django (PyPI)
What is BIT-django-2025-27556 About?
This is a Denial of Service vulnerability in Django 5.1 (before 5.1.8) and 5.0 (before 5.0.14) affecting Windows systems. The flaw stems from slow NFKC normalization processes, which can be exploited by adversaries using large Unicode inputs. This can lead to resource exhaustion and service unavailability.
Affected Software
- django
- >5.0, <5.0.14
- >5.1, <5.1.8
Technical Details
The vulnerability specifically impacts Django applications running on Windows and using the django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, or django.views.i18n.set_language views. The core issue lies in the inefficiency of NFKC (Normalization Form Compatibility Composition) normalization of Unicode characters on Windows platforms. An attacker can craft requests containing a very large number of Unicode characters within the input parameters processed by these Django views. When these views attempt to perform NFKC normalization on such oversized Unicode strings, the process becomes exceptionally slow and resource-intensive on Windows, consuming excessive CPU cycles and memory. By continuously sending such crafted inputs, an attacker can intentionally exhaust server resources, leading to a denial-of-service condition for legitimate users.
What is the Impact of BIT-django-2025-27556?
Successful exploitation may allow attackers to degrade the performance of the Django application significantly, consume excessive server resources, or make the application unresponsive, leading to a denial of service for legitimate users.
What is the Exploitability of BIT-django-2025-27556?
Exploitation of this denial-of-service vulnerability is of moderate complexity. It requires an attacker to send specially crafted requests to the vulnerable Django views (LoginView, LogoutView, or set_language) with very large Unicode character inputs. No specific authentication or high privileges are required, as the attack targets the processing of user input in publicly accessible views. It is a remote exploitation scenario, accessible via the web application. The primary special condition is that the Django application must be running on a Windows operating system. Risk factors include publicly exposed Django instances on Windows with insufficient rate limiting or input validation on Unicode character lengths.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2025-27556?
Available Upgrade Options
- django
- >5.0, <5.0.14 → Upgrade to 5.0.14
- django
- >5.1, <5.1.8 → Upgrade to 5.1.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2025/apr/02/security-releases
- https://groups.google.com/g/django-announce
- https://www.djangoproject.com/weblog/2025/apr/02/security-releases/
- http://www.openwall.com/lists/oss-security/2025/04/02/2
- https://github.com/django/django/commit/39e2297210d9d2938c75fc911d45f0e863dc4821
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-14.yaml
- https://docs.djangoproject.com/en/dev/releases/security/
- https://osv.dev/vulnerability/PYSEC-2025-14
- https://groups.google.com/g/django-announce
- https://docs.djangoproject.com/en/dev/releases/security
What are Similar Vulnerabilities to BIT-django-2025-27556?
Similar Vulnerabilities: CVE-2023-46731 , CVE-2023-45582 , CVE-2023-38408 , CVE-2023-36052 , CVE-2022-42889
