Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.7

CVE-2021-45115: Django Password Validation Overload Can Cause Slow Performance

GHSA-53qw-q765-4fww CVE-2021-45115
Summary

Django versions 2.2 to 4.0 have a bug that can cause slow performance when registering new users with very long passwords. This can be exploited to overload the system and make it harder for legitimate users to register. To fix this, update to Django 2.2.26 or later, 3.2.11 or later, or 4.0.1 or later.

What to do
  • Update django to version 2.2.26.
  • Update django to version 3.2.11.
  • Update django to version 4.0.1.
Affected software
Ecosystem VendorProductAffected versions
pip django >= 2.2a1, < 2.2.26
>= 3.2a1, < 3.2.11
>= 4.0a1, < 4.0.1
Fix: upgrade to 2.2.26
djangoproject django >= 2.2, < 2.2.26
>= 3.2, < 3.2.11
>= 4.0, < 4.0.1
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
fedoraproject fedora 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Original title
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that ...
Original description
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
ghsa CVSS3.1 7.5
ghsa CVSS4.0 8.7
Vulnerability type
CWE-400 Uncontrolled Resource Consumption
Published: 5 Jan 2022 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026