AI description
CVE-2025-64458 affects Django's HTTP redirect handling on Windows systems. The vulnerability lies in the `HttpResponseRedirect` and `HttpResponsePermanentRedirect` functions. It is caused by slow NFKC normalization in Python on Windows. An attacker could exploit this by sending crafted URLs with excessive Unicode characters. This can cause Django's redirect functions to consume large amounts of CPU time, potentially leading to performance degradation or a denial-of-service. Django versions 5.2, 5.1, 4.2, and the beta version 6.0 are affected. Patches have been released in versions 5.2.8, 5.1.14, and 4.2.26.
- Description
- An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
- Source
- 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
- NVD status
- Analyzed
- Products
- django
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
- CWE-407
- Hype score
- Not currently trending
Recently, several security issues I reported in Django, FastAPI were disclosed: - Django — CVE-2025-64458, CVE-2025-64460 - FastAPI — CVE-2025-62727 However would you believe these were discovered using only an LLM, without my involvement? https://t.co/azyti2pflB
@_seokchan_yoon
3 Dec 2025
2987 Impressions
11 Retweets
38 Likes
19 Bookmarks
1 Reply
0 Quotes
Django の脆弱性CVE-2025-64458/64459 が FIX:SQL インジェクション/DoS 攻撃の可能性 https://t.co/rIcCc5F3Qh Django 2件の脆弱性が発見されました。問題の中心は、QuerySet 操作での _connector 引数処理と、Windows 環境での Unic
@iototsecnews
17 Nov 2025
57 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-64458/64459 en Django - Cibersafety https://t.co/zs8Gfcx9nr
@escudata
10 Nov 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Djangoで高リスクの脆弱性-SQLインジェクション(CVE-2025-64459)とDoS(CVE-2025-64458) https://t.co/rgySWZuCFI #セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
@securityLab_jp
10 Nov 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Múltiples vulnerabilidades de Django permiten la inyección SQL y ataques DoS ⚠️ CVE-2025-64459 CVE-2025-64458 https://t.co/2L1AqvrYrK https://t.co/6ULJOZ4YpG
@elhackernet
8 Nov 2025
2474 Impressions
4 Retweets
20 Likes
4 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidades en productos Django ❗CVE-2025-64459 ❗CVE-2025-64458 ➡️Más info: https://t.co/t7BsfWczrX https://t.co/6nLuQNOiPH
@CERTpy
7 Nov 2025
83 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🎯#Django 緊急アップデート Django セキュリティチームが 2025-11-05 にパッチを公開しました。SQLインジェクション(CVE-2025-64459)および DoS(CVE-2025-64458)に対処済みです。 Criminal IP では26,996台の露出が確認され
@CriminalIP_JP
7 Nov 2025
155 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🎯 #Django Emergency Security Update (CVE-2025-64458 / CVE-2025-64459) A security patch that fixes SQL injection and Denial-of-Service (DoS) vulnerabilities has been distributed. (Affected versions: Django 4.2 / 5.1 / 5.2 / 6.0 (beta)) According to Criminal IP threat hunting h
@CriminalIP_US
7 Nov 2025
903 Impressions
3 Retweets
3 Likes
3 Bookmarks
0 Replies
0 Quotes
🎯 #Django 긴급 보안 업데이트 (CVE-2025-64458 / CVE-2025-64459) SQL 인젝션및 서비스 거부(DoS) 취약점을 수정한 보안 패치를 배포되었습니다. (영향 버전: Django4.2 / 5.1 / 5.2 / 6.0 (beta)) Criminal IP 위협 헌팅 결과, 전 세계 26,996
@CriminalIP_KR
7 Nov 2025
69 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
2 CVEs in Django https://t.co/zVVMhipLcl CVE-2025-64458: Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows CVE-2025-64459: Potential SQL injection via _connector keyword argument in QuerySet and Q objects
@oss_security
7 Nov 2025
416 Impressions
0 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
برای Django دو آسیب پذیری با کدهای شناسایی CVE-2025-64458 از نوع DOS و CVE-2025-64459 از نوع Sqlinjection منتشر شده است . اگر از نسخه های 4.2, 5.1, 5.2 این محصول استفاده می کنید ، حتما پچ
@EthicalSafe
6 Nov 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨Django Patches Two High-Severity Vulnerabilities CVE-2025-64459(CVSS 9.1): High-Severity SQL Injection via _connector Keyword CVE-2025-64458(CVSS 7.5): Moderate Denial-of-Service (DoS) on Windows via Unicode Redirects ZoomEye Dork👉app="Django" 189.7k+ exposed instanc
@zoomeye_team
6 Nov 2025
5815 Impressions
13 Retweets
39 Likes
13 Bookmarks
0 Replies
1 Quote
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5FC7EBE0-A60A-4083-9FB7-E4ADCD2B5F37",
"versionEndExcluding": "4.2.26",
"versionStartIncluding": "4.2"
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9F3A5471-02DB-428E-815E-516057A901FF",
"versionEndExcluding": "5.1.14",
"versionStartIncluding": "5.1"
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F56E9016-F93A-4DAE-8070-D3A4909F00A4",
"versionEndExcluding": "5.2.8",
"versionStartIncluding": "5.2"
}
],
"operator": "OR"
}
]
}
]