Impact
The flaw lies in the DomainNameValidator, which allows newline characters to pass through when domain names are supplied programmatically. If an application subsequently places the unfiltered value into an HTTP response header, the newlines can split the header, leading to HTTP response splitting or injection. This vulnerability is a form of header injection that can subvert request/response integrity and possibly redirect users or expose confidential information, as the HTTP response can be manipulated by an attacker.
Affected Systems
The flaw affects Django releases 6.0 through 6.0.6 and 5.2 through 5.2.15. Versions before 6.0 and 5.2 are untested but may also be vulnerable. Applications using Django 5.0.x, 4.1.x, or 3.2.x are not evaluated and residual risks remain if similar code paths exist.
Risk and Exploitability
The CVSS score of 5.3 places this vulnerability in the medium severity range. Exploitation requires the attacker to control or influence the domain name value that the application will insert into HTTP headers. The attack vector is therefore application‑side, not directly network remote; the EPSS score is < 1%, so the precise likelihood of exploitation is very low. Django itself is not affected because its HttpResponse class filters newlines from headers, but custom usage bypassing the framework’s sanitization exposes the risk.
OpenCVE Enrichment