Django
Moderate fix3 remedies
cpe:2.3:a:django_project:django:*:*:*:*:*:*:*
Moderate fix3 remedies
- < 6.0.3
- < 5.2.12
- < 4.2.29
- ~5.0
- ~4.1
- ~3.2
Django Denial-of-Service Vulnerability in URLField Unicode Normalization
Vulnerability
Patched
A denial-of-service vulnerability has been identified in Django's URLField component, affecting versions 6.0 prior to 6.0.3, 5.2 prior to 5.2.12, and 4.2 prior to 4.2.29. The issue arises because URLField's to_python() method calls urllib.parse.urlsplit(), which performs NFKC normalization on Windows. This normalization process can be disproportionately slow for certain Unicode characters, allowing remote attackers to cause delays by sending large URLs with these characters. Although earlier, unsupported Django series may also be affected, this vulnerability has been officially recognized and addressed in the latest security releases.
Impact
Exploitation of this vulnerability can lead to significant performance degradation, causing the application to become unresponsive or slow.
Remediation
Users can upgrade to Django versions 6.0.3, 5.2.12, or 4.2.29 to address this vulnerability.
Added: Mar 3, 2026, 3:21 PM
Updated: Mar 3, 2026, 10:42 PM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
2.5exploitability
7.2remediation
7.7relevance
3.4threat
0.0urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.