CVE-2023-36053
Denial of Service (DoS) vulnerability in django (PyPI)
What is CVE-2023-36053 About?
This is a Regular expression Denial of Service (ReDoS) vulnerability in Django's `EmailValidator` and `URLValidator`. Specially crafted email addresses or URLs with a very large number of domain name labels can cause excessive processing time due to backtracking, leading to a denial of service. Exploitation can be achieved remotely through malicious input.
Affected Software
- django
- >3.2a1, <3.2.20
- >4.2, <4.2.3
- >4.0a1, <4.1.10
- >4.2a1, <4.2.3
Technical Details
The vulnerability affects Django versions 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3. It specifically targets the EmailValidator and URLValidator components. These validators use regular expressions to parse and validate email addresses and URLs. An attacker can craft an input string for an email or URL that contains an unusually large number of domain name labels (e.g., user@a.b.c.d.......z.com). Such a string is legitimate in structure but, when processed by the specific regular expressions used in these Django validators, it triggers catastrophic backtracking. This causes the regular expression engine to expand its evaluation time exponentially with the length of the input, leading to a significant and prolonged consumption of CPU resources. This effectively stalls the process performing the validation, blocking it from serving other requests and resulting in a Denial of Service condition for the application.
What is the Impact of CVE-2023-36053?
Successful exploitation may allow attackers to cause a denial of service, making the affected application unresponsive and unavailable to legitimate users, severely impacting service availability.
What is the Exploitability of CVE-2023-36053?
Exploitation of this vulnerability is of low complexity. An attacker only needs to submit a form field or API endpoint that accepts an email address or URL, using a specially crafted string with a large number of domain labels. The vulnerability can be exploited remotely. Authentication requirements depend on whether the vulnerable input fields are accessible to unauthenticated users (e.g., registration forms, contact forms) or only to authenticated users. No specific privileges are required beyond the ability to submit data to the application. The primary risk factors are public-facing Django applications that validate user-provided email addresses or URLs, especially if these applications rely solely on the vulnerable EmailValidator or URLValidator without additional rate limiting or input length restrictions before validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-36053?
Available Upgrade Options
- django
- >3.2a1, <3.2.20 → Upgrade to 3.2.20
- django
- >4.0a1, <4.1.10 → Upgrade to 4.1.10
- django
- >4.2a1, <4.2.3 → Upgrade to 4.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html
- https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
- https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html
- https://github.com/django/django
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://nvd.nist.gov/vuln/detail/CVE-2023-36053
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-100.yaml
What are Similar Vulnerabilities to CVE-2023-36053?
Similar Vulnerabilities: CVE-2024-24762 , CVE-2022-30973 , CVE-2021-27516 , CVE-2020-8199 , CVE-2020-26233
