CVE-2026-33033
Denial of Service via MultipartParser Base64 Uploads in Django
Publication date: 2026-04-07
Last updated on: 2026-04-13
Assigner: Django Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| djangoproject | django | From 4.2 (inc) to 4.2.30 (exc) |
| djangoproject | django | From 5.2 (inc) to 5.2.13 (exc) |
| djangoproject | django | From 6.0 (inc) to 6.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Django versions 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. It involves the MultiPartParser component, which processes multipart uploads. Remote attackers can exploit this by submitting multipart uploads that include the header 'Content-Transfer-Encoding: base64' with excessive whitespace. This causes the system to degrade in performance.
Earlier unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x may also be affected, although they were not evaluated.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to degrade the performance of the affected Django application by submitting specially crafted multipart uploads. This can lead to resource exhaustion or denial of service conditions, potentially making the application slow or unresponsive.