CVE-2026-25673 in Django
Summary
by MITRE • 03/03/2026
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/01/2026
This vulnerability resides in Django's URLField validation mechanism and represents a significant denial of service risk that affects multiple versions of the framework. The issue manifests when the `URLField.to_python()` method processes URL inputs through `urllib.parse.urlsplit()`, which executes NFKC normalization on Windows platforms. This normalization process becomes excessively slow when handling specific Unicode characters, creating a performance degradation that can be exploited by remote attackers to cause system resource exhaustion. The vulnerability affects Django versions 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29, with potentially broader impact on unsupported earlier versions including 5.0.x, 4.1.x, and 3.2.x series. The root cause stems from the Windows-specific behavior of Unicode normalization algorithms that process certain character sequences with exponential time complexity, making the denial of service attack particularly effective against malformed URL inputs containing these problematic Unicode sequences.
The technical flaw exploits the fundamental interaction between Django's URL validation and Python's standard library parsing functions on Windows operating systems. When a URL containing specific Unicode characters is processed through the URLField validation, the underlying `urllib.parse.urlsplit()` function triggers NFKC normalization that exhibits quadratic or worse time complexity for certain character combinations. This normalization behavior is consistent with known issues in Unicode processing libraries where certain character sequences cause performance degradation that scales disproportionately with input size. The vulnerability operates at the application layer and can be triggered through any input that passes through Django's URLField validation, including form submissions, API endpoints, and any other mechanisms that validate URL inputs. This makes the attack surface particularly broad and difficult to mitigate without addressing the core normalization issue.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire application availability and system resources. Attackers can construct malicious URLs with carefully selected Unicode characters that cause the Django application to consume excessive CPU cycles during URL validation, leading to resource exhaustion and denial of service conditions. The attack can be executed remotely without authentication requirements, making it particularly dangerous in production environments where applications may be exposed to untrusted input sources. Systems processing large volumes of URL inputs become increasingly vulnerable as the computational overhead accumulates, potentially affecting multiple concurrent requests and causing cascading failures in web applications. The vulnerability's impact is amplified in high-traffic scenarios where the denial of service can effectively shut down application functionality and impact legitimate user access.
Mitigation strategies for this vulnerability should focus on both immediate patching and defensive programming approaches. The primary solution involves upgrading to patched versions of Django where the issue has been resolved through either improved normalization handling or alternative URL parsing approaches that avoid the problematic Unicode character sequences. Organizations should implement input validation that limits URL length and character set restrictions where possible, particularly for high-traffic applications. Network-level protections such as rate limiting and request filtering can provide additional defense in depth, though these measures are secondary to the core patching approach. Security teams should monitor for unusual CPU usage patterns that might indicate exploitation attempts, particularly in systems processing URL inputs. The vulnerability aligns with CWE-400 which catalogs denial of service weaknesses in software systems, and may map to ATT&CK technique T1499.004 for network denial of service attacks. Organizations should also consider implementing automated monitoring for unusual processing times during URL validation to detect potential exploitation attempts before they cause significant service disruption.