Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Django Can Crash with a Very Long URL
CVE-2026-25673
GHSA-8p8v-wh79-9r56
GHSA-8p8v-wh79-9r56
BIT-django-2026-25673
Summary
Django's URL handling can be slow and crash if a very long URL is entered. This can happen when an attacker sends a malicious URL to the Django application. To protect your site, update to the latest version of Django.
What to do
- Update django to version 6.0.3.
- Update django to version 5.2.12.
- Update django to version 4.2.29.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | django | > 6.0 , <= 6.0.3 | 6.0.3 |
| – | django | > 5.2 , <= 5.2.12 | 5.2.12 |
| – | django | > 4.2 , <= 4.2.29 | 4.2.29 |
| djangoproject | django | > 4.2.0 , <= 4.2.29 | – |
| djangoproject | django | > 5.2 , <= 5.2.12 | – |
| djangoproject | django | > 6.0 , <= 6.0.3 | – |
| – | django | > 6.0.0 , <= 6.0.3 | 6.0.3 |
Original title
Django vulnerable to Uncontrolled Resource Consumption
Original description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.
`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
`URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
nvd CVSS3.1
7.5
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
CWE-770
Allocation of Resources Without Limits
- https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory Patch
- https://groups.google.com/g/django-announce Release Notes
- https://www.djangoproject.com/weblog/2026/mar/03/security-releases/ Patch Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-25673
- https://docs.djangoproject.com/en/dev/releases/security
- https://www.djangoproject.com/weblog/2026/mar/03/security-releases
- https://github.com/advisories/GHSA-8p8v-wh79-9r56
- https://github.com/django/django Product
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026