Vulnerability Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Djangoproject | Django | >= 4.2.0, < 4.2.29 |
Related Weaknesses (CWE)
References
- https://docs.djangoproject.com/en/dev/releases/security/Vendor AdvisoryPatch
- https://groups.google.com/g/django-announceRelease Notes
- https://www.djangoproject.com/weblog/2026/mar/03/security-releases/PatchVendor Advisory
FAQ
What is CVE-2026-25673?
CVE-2026-25673 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows th...
How severe is CVE-2026-25673?
CVE-2026-25673 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25673?
Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django.