EUVD-2025-200248
GHSA-vrcr-9hj9-jcg6
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 pypi packages depend on django (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.2a1.
DescriptionNVD
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xml_serializer.getInnerText() allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML Deserializer. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Analysis
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xml_serializer.getInnerText() allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML Deserializer. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Technical ContextAI
Insecure deserialization occurs when untrusted data is used to reconstruct objects, allowing attackers to manipulate serialized data to execute arbitrary code.
RemediationAI
A vendor patch is available — apply it immediately. Avoid deserializing untrusted data. Use safe serialization formats (JSON instead of native serialization). Implement integrity checks on serialized data.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH
pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently str
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removin
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| upstream | needs-triage | - |
| bionic | released | 1:1.11.11-1ubuntu1.21+esm13 |
| focal | released | 2:2.2.12-1ubuntu0.29+esm6 |
| jammy | released | 2:3.2.12-2ubuntu1.24 |
| noble | released | 3:4.2.11-1ubuntu1.13 |
| plucky | released | 3:4.2.18-1ubuntu1.7 |
| questing | released | 3:5.2.4-1ubuntu2.2 |
| trusty | released | 1.6.11-0ubuntu1.3+esm9 |
| xenial | released | 1.8.7-1ubuntu5.15+esm10 |
Debian
Bug #1121788| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2:2.2.28-1~deb11u10 | - |
| bullseye (security) | fixed | 2:2.2.28-1~deb11u12 | - |
| bookworm | fixed | 3:3.2.25-0+deb12u1 | - |
| bookworm (security) | fixed | 3:3.2.25-0+deb12u2 | - |
| trixie (security), trixie | fixed | 3:4.2.28-0+deb13u1 | - |
| forky, sid | fixed | 3:4.2.29-1 | - |
| trixie | fixed | 3:4.2.27-0+deb13u1 | - |
| (unstable) | fixed | 3:4.2.27-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today