CVE-2026-25673
Received Received - Intake
Denial of Service via URL Parsing in Django URLField

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: Django Software Foundation

Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-05-07
AI Q&A
2026-03-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25673
EUVD
EUVD-2026-9294
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
djangoproject django From 4.2.0 (inc) to 4.2.29 (exc)
djangoproject django From 5.2 (inc) to 5.2.12 (exc)
djangoproject django From 6.0 (inc) to 6.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Django versions before 6.0.3, 5.2.12, and 4.2.29. It involves the URLField.to_python() function, which calls urllib.parse.urlsplit(). On Windows, urlsplit() performs NFKC normalization that is disproportionately slow for certain Unicode characters. A remote attacker can exploit this by sending large URL inputs containing these specific Unicode characters, causing the system to slow down significantly.

This slowdown can be leveraged to cause a denial of service (DoS) condition, where the application becomes unresponsive or very slow due to the processing overhead.


How can this vulnerability impact me? :

The primary impact of this vulnerability is a denial of service (DoS) attack. An attacker can send specially crafted large URLs containing certain Unicode characters that trigger slow processing in Django's URL parsing on Windows systems.

This can cause the affected Django application to become unresponsive or slow, potentially disrupting service availability for legitimate users.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart