PatchSiren cyber security CVE debrief
CVE-2026-25673 Djangoproject CVE debrief
CVE-2026-25673 is a high-severity denial of service vulnerability affecting Django's URLField.to_python() function. The issue arises from the function's use of urllib.parse.urlsplit(), which performs NFKC normalization on Windows. This process is disproportionately slow for certain Unicode characters, allowing remote attackers to cause denial of service via large URL inputs containing these characters. The vulnerability affects Django versions 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Earlier, unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated and may also be affected. Seokchan Yoon reported this issue to Django.
- Vendor
- Djangoproject
- Product
- Django
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-03
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-03
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Django 6.0, 5.2, and 4.2 should be aware of this vulnerability. Given the high CVSS score of 7.5, organizations using these versions should prioritize patching to prevent potential denial of service attacks. This vulnerability may impact web applications that handle large URL inputs or rely on Django's URLField.to_python() function.
Technical summary
The vulnerability in Django's URLField.to_python() function stems from its use of urllib.parse.urlsplit(), which performs NFKC normalization on Windows. This process can be disproportionately slow for certain Unicode characters, making the function vulnerable to denial of service attacks via large URL inputs. The affected versions are 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity.
Defensive priority
This vulnerability has a high CVSS score of 7.5 and can be exploited remotely, making it a priority for organizations using affected Django versions. Patching should be prioritized to prevent potential denial of service attacks.
Recommended defensive actions
- Apply patches for Django versions 6.0.3, 5.2.12, and 4.2.29 or later.
- Review and update affected Django applications to use patched versions.
- Monitor URL inputs and implement rate limiting or other protective measures if patching is not immediately feasible.
- Consider upgrading to supported Django versions if using unsupported series.
- Review and adjust security configurations for affected applications.
Evidence notes
The CVE-2026-25673 vulnerability was reported by Seokchan Yoon to Django. The vulnerability affects multiple Django versions and has a high CVSS score of 7.5. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to CWE-400 and CWE-770.
Official resources
-
CVE-2026-25673 CVE record
CVE.org
-
CVE-2026-25673 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 - Patch, Vendor Advisory
-
Mitigation or vendor reference
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 - Release Notes
-
Mitigation or vendor reference
6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.