CVE-2026-25673

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.djangoproject.com/en/dev/releases/security/	Vendor Advisory Patch
https://groups.google.com/g/django-announce	Release Notes
https://www.djangoproject.com/weblog/2026/mar/03/security-releases/	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django::::::::

History

No history.

Information

Published : 2026-03-03 15:16

Updated : 2026-03-05 14:12

NVD link : CVE-2026-25673

Mitre link : CVE-2026-25673

CVE.ORG link : CVE-2026-25673

JSON object : View

Products Affected

djangoproject

django

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-25673", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-03T15:16:19.103", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "tags": ["Vendor Advisory", "Patch"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://groups.google.com/g/django-announce", "tags": ["Release Notes"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}, {"url": "https://www.djangoproject.com/weblog/2026/mar/03/security-releases/", "tags": ["Patch", "Vendor Advisory"], "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.\n`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en 6.0 anterior a 6.0.3, 5.2 anterior a 5.2.12, y 4.2 anterior a 4.2.29.\n`URLField.to_python()` en Django llama a `urllib.parse.urlsplit()`, que realiza la normalizaci\u00f3n NFKC en Windows, la cual es desproporcionadamente lenta para ciertos caracteres Unicode, permitiendo a un atacante remoto causar denegaci\u00f3n de servicio a trav\u00e9s de grandes entradas de URL que contienen estos caracteres.\nSeries de Django anteriores y no compatibles (como 5.0.x, 4.1.x y 3.2.x) no fueron evaluadas y tambi\u00e9n podr\u00edan estar afectadas.\nDjango desea agradecer a Seokchan Yoon por informar sobre este problema."}], "lastModified": "2026-03-05T14:12:38.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE181B32-2EF8-4AF0-8500-AFF78A7787B5", "versionEndExcluding": "4.2.29", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91187FB5-19CD-4A7D-B61B-9BE8374164EA", "versionEndExcluding": "5.2.12", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AAF6F95-4E20-4A81-832F-D0E29F7E158E", "versionEndExcluding": "6.0.3", "versionStartIncluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92"}