Django Releases Security Patches to Address DoS and Permission Vulnerabilities
Ddos 
The Django security team has issued important updates for all supported versions of the framework to address two newly identified vulnerabilities. The releases—covering Django 6.0.3, 5.2.12, and 4.2.29—remediate a moderate-severity Denial-of-Service (DoS) flaw and a low-severity issue involving incorrect file permissions.
Developers are strongly encouraged to upgrade their environments as soon as possible to mitigate these risks.
CVE-2026-25673: Potential DoS via Unicode Normalization
The most significant of the two issues is a “moderate” severity vulnerability affecting the URLField form field. On Windows systems, the field’s to_python() method utilized a process that could be exploited to consume excessive server resources.
According to the official advisory, “On Windows, urlsplit() performs NFKC normalization (unicodedata.normalize), which can be disproportionately slow for large inputs containing certain characters”. This slowness creates a potential vector for a Denial-of-Service attack, where a malicious actor could send crafted inputs to stall the server.
To resolve this, the Django team has implemented a simplified scheme detection that bypasses Unicode normalization entirely. Developers using custom validators should take note: “characters such as newlines, tabs, and other control characters within the value are no longer handled by URLField.to_python()”.
CVE-2026-25674: File System Permission Risks
The second vulnerability, rated as “low” severity, involves how Django handles permissions when creating new files or directories. Previously, the framework’s file-system storage and file-based cache backends relied on the process umask to control these permissions.
The security team identified a risk in multi-threaded environments: “one thread’s temporary umask change can affect other threads’ file and directory creation, resulting in file system objects being created with unintended permissions”. This could lead to a scenario where sensitive files are created with overly permissive access levels.
The update changes this behavior by applying requested permissions via os.chmod() immediately after directory creation, removing the dangerous dependency on the process-wide umask.
Affected Versions and Resolution
The patches have been applied to the main development branch as well as all currently supported stable branches.
| Affected Branch | Patched Version |
| Django main |
Patched |
| Django 6.0 |
6.0.3 |
| Django 5.2 |
5.2.12 |
| Django 4.2 |
4.2.29 |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
