CVE-2025-64460NVD

Vulnerability Summary

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.

Severity Level

UNKNOWN

Published Date

Dec 2, 2025

Last Modified

Dec 2, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-407: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

External References

https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/dec/02/security-releases/

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2025-64460NVD

Vulnerability Summary

External References