CVE-2025-27556 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=5.0 <5.0.14 || >=5.1 <5.1.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00013 pctl0.01542

Details

Django Potential Denial of Service (DoS) on Windows An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

Metadata

Created: 2025-04-02T15:31:37Z
Modified: 2025-04-09T20:02:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-wqfg-m96j-85vm/GHSA-wqfg-m96j-85vm.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-wqfg-m96j-85vm
Finding: F002
Auto approve: 1