mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.

Browse Source 
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.

Follow-up to CVE-2025-27556 and 39e2297210.
This commit is contained in:
Jacob Walls
2025-10-16 16:28:33 -04:00
committed by Natalia
parent 74564946c3
commit c880530ddd
5 changed files with 37 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/releases/4.2.26.txt
View File

@@ -7,4 +7,12 @@ Django 4.2.26 release notes
Django 4.2.26 fixes one security issue with severity "high" and one security
issue with severity "moderate" in 4.2.25.
...
CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
======================================================================================================================================
Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to :cve:`2025-27556`).

10
docs/releases/5.1.14.txt
View File

@@ -7,4 +7,12 @@ Django 5.1.14 release notes
Django 5.1.14 fixes one security issue with severity "high" and one security
issue with severity "moderate" in 5.1.13.
...
CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
======================================================================================================================================
Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to :cve:`2025-27556`).

10
docs/releases/5.2.8.txt
View File

@@ -8,6 +8,16 @@ Django 5.2.8 fixes one security issue with severity "high", one security issue
with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
with Python 3.14.
CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
======================================================================================================================================
Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
denial-of-service attack via certain inputs with a very large number of Unicode
characters (follow up to :cve:`2025-27556`).
Bugfixes
========