CVE-2025-14550
Denial-of-service vulnerability in django (PyPI)
What is CVE-2025-14550 About?
This denial-of-service vulnerability affects Django's `ASGIRequest` handler, allowing remote attackers to disrupt service. It's triggered by crafted requests containing multiple duplicate headers, leading to resource exhaustion. Exploitation is relatively easy for an attacker with network access to the application.
Affected Software
- django
- >=5.2a1, <5.2.11
- >=6.0a1, <6.0.2
- >=4.2a1, <4.2.28
Technical Details
The vulnerability lies within the ASGIRequest handler in Django. A remote attacker can exploit this by sending a crafted request that includes multiple duplicate headers. The processing of these numerous duplicate headers by ASGIRequest can lead to excessive resource consumption (e.g., CPU cycles, memory), causing the application to become unresponsive or crash. This constitutes a denial-of-service condition.
What is the Impact of CVE-2025-14550?
Successful exploitation may allow attackers to disrupt service availability by causing resource exhaustion or application unresponsiveness.
What is the Exploitability of CVE-2025-14550?
Exploitation of this vulnerability is likely low in complexity. A remote attacker needs only to send a specifically crafted HTTP request containing multiple duplicate headers to an application using the vulnerable ASGIRequest in Django. No authentication or privileged access is required, making it an unauthenticated remote attack vector. The primary prerequisite is that the application is running a vulnerable version of Django with ASGIRequest exposed. Risk factors include any publicly accessible Django application that could be targeted with such malformed requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-14550?
Available Upgrade Options
- django
- >=4.2a1, <4.2.28 → Upgrade to 4.2.28
- django
- >=5.2a1, <5.2.11 → Upgrade to 5.2.11
- django
- >=6.0a1, <6.0.2 → Upgrade to 6.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://docs.djangoproject.com/en/dev/releases/security/
- https://www.djangoproject.com/weblog/2026/feb/03/security-releases
- https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
- https://groups.google.com/g/django-announce
- https://github.com/django/django
- https://docs.djangoproject.com/en/dev/releases/security
- https://nvd.nist.gov/vuln/detail/CVE-2025-14550
- https://github.com/django/django/commit/eb22e1d6d643360e952609ef562c139a100ea4eb
- https://osv.dev/vulnerability/GHSA-33mw-q7rj-mjwj
- https://groups.google.com/g/django-announce
What are Similar Vulnerabilities to CVE-2025-14550?
Similar Vulnerabilities: CVE-2023-31046 , CVE-2023-28704 , CVE-2023-28706 , CVE-2023-28705 , CVE-2023-45811
