From c880530ddd4fabd5939bab0e148bebe36699432a Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Thu, 16 Oct 2025 16:28:33 -0400 Subject: [PATCH] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Follow-up to CVE-2025-27556 and 39e2297210d9d2938c75fc911d45f0e863dc4821. --- django/http/response.py | 9 +++++++-- docs/releases/4.2.26.txt | 10 +++++++++- docs/releases/5.1.14.txt | 10 +++++++++- docs/releases/5.2.8.txt | 10 ++++++++++ tests/httpwrappers/tests.py | 2 ++ 5 files changed, 37 insertions(+), 4 deletions(-) diff --git a/django/http/response.py b/django/http/response.py index 40b2d7089d..020b2fcf3a 100644 --- a/django/http/response.py +++ b/django/http/response.py @@ -22,7 +22,7 @@ from django.utils import timezone from django.utils.datastructures import CaseInsensitiveMapping from django.utils.encoding import iri_to_uri from django.utils.functional import cached_property -from django.utils.http import content_disposition_header, http_date +from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date from django.utils.regex_helper import _lazy_re_compile _charset_from_content_type_re = _lazy_re_compile( @@ -631,7 +631,12 @@ class HttpResponseRedirectBase(HttpResponse): def __init__(self, redirect_to, preserve_request=False, *args, **kwargs): super().__init__(*args, **kwargs) self["Location"] = iri_to_uri(redirect_to) - parsed = urlsplit(str(redirect_to)) + redirect_to_str = str(redirect_to) + if len(redirect_to_str) > MAX_URL_LENGTH: + raise DisallowedRedirect( + f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters" + ) + parsed = urlsplit(redirect_to_str) if preserve_request: self.status_code = self.status_code_preserve_request if parsed.scheme and parsed.scheme not in self.allowed_schemes: diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt index e0db257c04..ae274c3361 100644 --- a/docs/releases/4.2.26.txt +++ b/docs/releases/4.2.26.txt @@ -7,4 +7,12 @@ Django 4.2.26 release notes Django 4.2.26 fixes one security issue with severity "high" and one security issue with severity "moderate" in 4.2.25. -... +CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows +====================================================================================================================================== + +Python's :func:`NFKC normalization ` is slow on +Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, +:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut +:func:`redirect() ` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters (follow up to :cve:`2025-27556`). diff --git a/docs/releases/5.1.14.txt b/docs/releases/5.1.14.txt index 79a7a260e3..8dba96e487 100644 --- a/docs/releases/5.1.14.txt +++ b/docs/releases/5.1.14.txt @@ -7,4 +7,12 @@ Django 5.1.14 release notes Django 5.1.14 fixes one security issue with severity "high" and one security issue with severity "moderate" in 5.1.13. -... +CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows +====================================================================================================================================== + +Python's :func:`NFKC normalization ` is slow on +Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, +:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut +:func:`redirect() ` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters (follow up to :cve:`2025-27556`). diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt index 62cb32f55c..947fce8d84 100644 --- a/docs/releases/5.2.8.txt +++ b/docs/releases/5.2.8.txt @@ -8,6 +8,16 @@ Django 5.2.8 fixes one security issue with severity "high", one security issue with severity "moderate", and several bugs in 5.2.7. It also adds compatibility with Python 3.14. +CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows +====================================================================================================================================== + +Python's :func:`NFKC normalization ` is slow on +Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`, +:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut +:func:`redirect() ` were subject to a potential +denial-of-service attack via certain inputs with a very large number of Unicode +characters (follow up to :cve:`2025-27556`). + Bugfixes ======== diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py index f1caec6b71..804bec50b0 100644 --- a/tests/httpwrappers/tests.py +++ b/tests/httpwrappers/tests.py @@ -24,6 +24,7 @@ from django.http import ( ) from django.test import SimpleTestCase from django.utils.functional import lazystr +from django.utils.http import MAX_URL_LENGTH class QueryDictTests(SimpleTestCase): @@ -490,6 +491,7 @@ class HttpResponseTests(SimpleTestCase): 'data:text/html,', "mailto:test@example.com", "file:///etc/passwd", + "é" * (MAX_URL_LENGTH + 1), ] for url in bad_urls: with self.assertRaises(DisallowedRedirect):