CVE-2026-25673
Modified
Modified - Updated After Analysis
Denial of Service via URL Parsing in Django URLField
Vulnerability report for CVE-2026-25673, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-03
Last updated on: 2026-06-30
Assigner: Django Software Foundation
Description
Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| djangoproject | django | From 4.2.0 (inc) to 4.2.29 (exc) |
| djangoproject | django | From 5.2 (inc) to 5.2.12 (exc) |
| djangoproject | django | From 6.0 (inc) to 6.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |