CVE-2026-25673
HIGH
GHSA-8p8v-wh79-9r56
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Analysis
Django URL field validation triggers excessive Unicode normalization on Windows when processing certain malicious Unicode characters, enabling remote attackers to cause denial of service through crafted URL inputs. Affected versions include Django 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29, with potential impact to unsupported series 5.0.x, 4.1.x, and 3.2.x. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running affected versions (6.0.x, 5.2.x, 4.2.x pre-patch) and assess business criticality. Within 7 days: Deploy available patches to development and non-production environments, validate functionality, and plan production rollout. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today