Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Published: 2026-03-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service over Windows via Unicode normalization
Action: Patch
AI Analysis

Impact

The vulnerable URLField method in Django calls Python's urllib.parse.urlsplit, which applies NFKC normalization when running on Windows. For certain Unicode characters this normalization is disproportionately slow, allowing a remote attacker to submit a very large URL that consumes excessive CPU time and memory, leading to denial of service. The flaw maps to CWE‑400 (Uncontrolled Resource Consumption) and CWE‑770 (Uncontrolled Resource Consumption).

Affected Systems

The affected product is Django, specifically versions 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Earlier unsupported releases such as 5.0.x, 4.1.x and 3.2.x were not evaluated and may also be at risk.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity. The EPSS score of <1% suggests a low probability of exploitation as of the time of analysis, and the vulnerability is not included in the CISA KEV catalog. Exploitation requires an attacker to send a crafted URL that triggers the slow normalization on a Windows server running Django; the attack vector is remote over the network, inferred from the description.

Generated by OpenCVE AI on April 16, 2026 at 14:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Django to a fixed release – 6.0.3 or later, 5.2.12 or later, or 4.2.29 or later – depending on your current version.
  • When upgrading is not immediately possible, limit the maximum length or complexity of URLs accepted by the application’s URLField and reject URLs that contain excessive Unicode sequences.
  • Apply request throttling or rate limiting at the application or web‑server layer to reduce the impact of a DoS attempt.

Generated by OpenCVE AI on April 16, 2026 at 14:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8p8v-wh79-9r56 Django vulnerable to Uncontrolled Resource Consumption
History

Thu, 05 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Thu, 05 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Vendors & Products Djangoproject
Djangoproject django

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Title Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows
Weaknesses CWE-400
References

Subscriptions

Djangoproject Django
cve-icon MITRE

Status: PUBLISHED

Assigner: DSF

Published:

Updated: 2026-03-03T15:26:02.764Z

Reserved: 2026-02-04T18:27:10.657Z

Link: CVE-2026-25673

cve-icon Vulnrichment

Updated: 2026-03-03T15:25:39.933Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T15:16:19.103

Modified: 2026-03-05T14:12:38.110

Link: CVE-2026-25673

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-03T14:28:28Z

Links: CVE-2026-25673 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:15:28Z

Weaknesses