CVE-2025-26699
Denial-of-Service vulnerability in django (PyPI)
What is CVE-2025-26699 About?
This Denial-of-Service vulnerability in Django's `django.utils.text.wrap()` method and `wordwrap` template filter can be triggered by processing very long strings. It allows for resource exhaustion through excessive computation when handling such inputs. Exploitation is relatively straightforward if an attacker can provide long strings to these functions.
Affected Software
- django
- >5.1, <5.1.7
- >4.2, <4.2.20
- >5.0, <5.0.13
Technical Details
The vulnerability lies in the implementation of Django's django.utils.text.wrap() method and its corresponding wordwrap template filter. These functions are designed to wrap long strings into multiple lines. When presented with exceptionally long strings, especially those containing specific patterns or lacking whitespace at appropriate intervals, the underlying logic (potentially involving regular expressions or inefficient string manipulation) can lead to catastrophic performance. The algorithm used for wrapping becomes very inefficient, consuming a disproportionately large amount of CPU cycles and memory. This resource exhaustion results in a denial-of-service condition, where the Django application becomes unresponsive or crashes due to the processing bottleneck caused by the long string input. This is a type of 'algorithmic complexity' attack.
What is the Impact of CVE-2025-26699?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to the Django application becoming unresponsive or crashing, thus disrupting service for legitimate users.
What is the Exploitability of CVE-2025-26699?
Exploitation of this vulnerability is of low complexity. An attacker only needs to provide a very long string as input to a part of the Django application that uses either django.utils.text.wrap() or the wordwrap template filter. No special authentication or privileges are required if the application accepts user-controlled input that is subsequently processed by these functions. This can be a remote exploitation scenario if user input (e.g., user profiles, comments, messages) is processed by the vulnerable functions. There are no specific technical prerequisites beyond the input string length and content. Risk factors that increase exploitation likelihood include web applications that accept and display arbitrary user-generated content, especially in fields that are processed by text wrapping utilities, making it easy for an attacker to submit a lengthy payload.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-26699?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.20 → Upgrade to 4.2.20
- django
- >5.0, <5.0.13 → Upgrade to 5.0.13
- django
- >5.1, <5.1.7 → Upgrade to 5.1.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2025/mar/06/security-releases
- https://osv.dev/vulnerability/GHSA-p3fp-8748-vqfq
- https://groups.google.com/g/django-announce
- https://nvd.nist.gov/vuln/detail/CVE-2025-26699
- https://groups.google.com/g/django-announce
- https://www.djangoproject.com/weblog/2025/mar/06/security-releases/
- https://docs.djangoproject.com/en/dev/releases/security/
- https://github.com/django/django
- https://docs.djangoproject.com/en/dev/releases/security
- http://www.openwall.com/lists/oss-security/2025/03/06/12
What are Similar Vulnerabilities to CVE-2025-26699?
Similar Vulnerabilities: CVE-2023-5072 , CVE-2022-48560 , CVE-2022-30126 , CVE-2020-25667 , CVE-2019-15849
