Resource exhaustion in Djangoproject Django

CVE-2026-25673

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certa…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.002 (47.2th percentile) — read the EPSS interpretation.

Affected products

Djangoproject Django — versions 6.0, 6.0.3, 5.2

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

Django security archive (vendor-advisory)
Django releases announcements (mailing-list)
Django security releases issued: 6.0.3, 5.2.12, and 4.2.29 (vendor-advisory)