CVE-2025-64460

| EUVD-2025-200248 HIGH
2025-12-02 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 GHSA-vrcr-9hj9-jcg6
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 14:04 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 14:04 euvd
EUVD-2025-200248
Patch Released
Mar 15, 2026 - 14:04 nvd
Patch available
CVE Published
Dec 02, 2025 - 16:15 nvd
HIGH 7.5

Tags

Information Disclosure Python Ubuntu Debian Django Redhat Suse

Description

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Analysis

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xml_serializer.getInnerText() allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML Deserializer. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Technical Context

Insecure deserialization occurs when untrusted data is used to reconstruct objects, allowing attackers to manipulate serialized data to execute arbitrary code.

Affected Products

Affected products: Djangoproject Django

Remediation

A vendor patch is available — apply it immediately. Avoid deserializing untrusted data. Use safe serialization formats (JSON instead of native serialization). Implement integrity checks on serialized data.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
python-django
Release Status Version
upstream needs-triage -
bionic released 1:1.11.11-1ubuntu1.21+esm13
focal released 2:2.2.12-1ubuntu0.29+esm6
jammy released 2:3.2.12-2ubuntu1.24
noble released 3:4.2.11-1ubuntu1.13
plucky released 3:4.2.18-1ubuntu1.7
questing released 3:5.2.4-1ubuntu2.2
trusty released 1.6.11-0ubuntu1.3+esm9
xenial released 1.8.7-1ubuntu5.15+esm10
USN-7903-1

Debian

Bug #1121788
python-django
Release Status Fixed Version Urgency
bullseye fixed 2:2.2.28-1~deb11u10 -
bullseye (security) fixed 2:2.2.28-1~deb11u12 -
bookworm fixed 3:3.2.25-0+deb12u1 -
bookworm (security) fixed 3:3.2.25-0+deb12u2 -
trixie (security), trixie fixed 3:4.2.28-0+deb13u1 -
forky, sid fixed 3:4.2.29-1 -
trixie fixed 3:4.2.27-0+deb13u1 -
(unstable) fixed 3:4.2.27-1 -
DLA-4425-1 DSA-6117-1 DSA-6136-1

Share

CVE-2025-64460 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy