CVE-2026-33034
Unbounded Memory Load via Content-Length Bypass in Django
Publication date: 2026-04-07
Last updated on: 2026-04-13
Assigner: Django Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| djangoproject | django | From 4.2 (inc) to 4.2.30 (exc) |
| djangoproject | django | From 5.2 (inc) to 5.2.13 (exc) |
| djangoproject | django | From 6.0 (inc) to 6.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in certain versions of Django (6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30) where ASGI requests with a missing or understated Content-Length header can bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit.
Because of this, remote attackers can send requests with an unbounded request body that gets loaded into memory, potentially causing excessive memory usage.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to bypass memory limits on request bodies, which can lead to excessive memory consumption on the server.
Such excessive memory usage can degrade server performance, cause denial of service by exhausting server resources, or potentially crash the application.