CVE-2026-25673
Received Received - Intake
Denial of Service via URL Parsing in Django URLField

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25673
EUVD
EUVD-2026-9294
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
djangoproject django From 4.2.0 (inc) to 4.2.29 (exc)
djangoproject django From 5.2 (inc) to 5.2.12 (exc)
djangoproject django From 6.0 (inc) to 6.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Django versions before 6.0.3, 5.2.12, and 4.2.29. It involves the URLField.to_python() function, which calls urllib.parse.urlsplit(). On Windows, urlsplit() performs NFKC normalization that is disproportionately slow for certain Unicode characters. A remote attacker can exploit this by sending large URL inputs containing these specific Unicode characters, causing the system to slow down significantly.

This slowdown can be leveraged to cause a denial of service (DoS) condition, where the application becomes unresponsive or very slow due to the processing overhead.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) attack. An attacker can send specially crafted large URLs containing certain Unicode characters that trigger slow processing in Django's URL parsing on Windows systems.

This can cause the affected Django application to become unresponsive or slow, potentially disrupting service availability for legitimate users.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25673. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart