CVE-2022-41323 in Django
Summary
by MITRE • 10/16/2022
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2025
This vulnerability affects the Django web framework's handling of internationalized URLs and represents a significant denial of service risk that can be exploited through malformed locale parameters. The issue stems from how Django processes the locale parameter in internationalized URL patterns, where the system treats this parameter as a regular expression rather than a simple string value. This design flaw creates an opportunity for attackers to craft malicious locale values that can trigger catastrophic backtracking in regular expression engines, leading to excessive CPU consumption and potential system resource exhaustion.
The technical flaw manifests in the URL resolution process where Django's internationalization system accepts locale identifiers through the locale parameter and subsequently applies them as regular expressions for pattern matching. When an attacker provides a carefully crafted locale value, the regular expression engine can enter into exponential time complexity behavior, causing the system to consume massive amounts of processing power and memory resources. This vulnerability specifically impacts Django versions 3.2.x before 3.2.16, 4.0.x before 4.0.8, and 4.1.x before 4.1.2, indicating a widespread issue across multiple major releases. The vulnerability maps to CWE-400, which addresses unspecified denial of service conditions, and aligns with ATT&CK technique T1499.004 for network denial of service attacks.
The operational impact of this vulnerability extends beyond simple resource exhaustion, as it can effectively disable web applications by consuming all available CPU cycles and memory resources. Attackers can exploit this weakness by sending malicious requests with crafted locale parameters that cause the regular expression engine to perform an enormous number of operations, potentially leading to application unresponsiveness or complete system crashes. This makes the vulnerability particularly dangerous in production environments where high availability and performance are critical. The attack vector is straightforward and requires minimal sophistication, making it an attractive target for automated exploitation tools and malicious actors seeking to disrupt services.
Mitigation strategies should focus on upgrading to the patched versions of Django where this vulnerability has been addressed through proper input sanitization and regular expression handling. Organizations should immediately update their Django installations to versions 3.2.16, 4.0.8, or 4.1.2 respectively, depending on their current version. Additional protective measures include implementing rate limiting on URL requests, validating and sanitizing locale parameters at the application level, and monitoring for unusual patterns in URL access that might indicate exploitation attempts. Network-level protections such as web application firewalls can also help detect and block malicious requests before they reach the Django application layer, providing an additional defense in depth strategy against this particular attack vector.