PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25673 Djangoproject CVE debrief

CVE-2026-25673 is a high-severity denial of service vulnerability affecting Django's URLField.to_python() function. The issue arises from the function's use of urllib.parse.urlsplit(), which performs NFKC normalization on Windows. This process is disproportionately slow for certain Unicode characters, allowing remote attackers to cause denial of service via large URL inputs containing these characters. The vulnerability affects Django versions 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Earlier, unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated and may also be affected. Seokchan Yoon reported this issue to Django.

Vendor
Djangoproject
Product
Django
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-03
Original CVE updated
2026-06-30
Advisory published
2026-03-03
Advisory updated
2026-06-30

Who should care

Developers and administrators using Django 6.0, 5.2, and 4.2 should be aware of this vulnerability. Given the high CVSS score of 7.5, organizations using these versions should prioritize patching to prevent potential denial of service attacks. This vulnerability may impact web applications that handle large URL inputs or rely on Django's URLField.to_python() function.

Technical summary

The vulnerability in Django's URLField.to_python() function stems from its use of urllib.parse.urlsplit(), which performs NFKC normalization on Windows. This process can be disproportionately slow for certain Unicode characters, making the function vulnerable to denial of service attacks via large URL inputs. The affected versions are 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity.

Defensive priority

This vulnerability has a high CVSS score of 7.5 and can be exploited remotely, making it a priority for organizations using affected Django versions. Patching should be prioritized to prevent potential denial of service attacks.

Recommended defensive actions

  • Apply patches for Django versions 6.0.3, 5.2.12, and 4.2.29 or later.
  • Review and update affected Django applications to use patched versions.
  • Monitor URL inputs and implement rate limiting or other protective measures if patching is not immediately feasible.
  • Consider upgrading to supported Django versions if using unsupported series.
  • Review and adjust security configurations for affected applications.

Evidence notes

The CVE-2026-25673 vulnerability was reported by Seokchan Yoon to Django. The vulnerability affects multiple Django versions and has a high CVSS score of 7.5. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to CWE-400 and CWE-770.

Official resources

This article is AI-assisted and based on the supplied source corpus.