summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJacob Walls <jacobtylerwalls@gmail.com>2026-03-24 15:53:27 -0400
committerSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2026-05-05 14:33:27 +0200
commit5a89e341bfc77dd67b7fd57b7091b6430558e1f4 (patch)
treeeda11f2a0d23e74eb8ff6111a44ee2c0d19990fa /docs
parentd75d57c2c06934a65feabd206129b9d1a230a1da (diff)
Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in MemoryFileUploadHandler on ASGI.
In ASGI deployments, Content-Length is not guaranteed to reflect the actual request body size, so relying on it to gate memory allocation allowed the limit to be bypassed. The handler now enforces DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value. Thanks to Kyle Agronick for the report. Refs #35289. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/5.2.14.txt14
-rw-r--r--docs/releases/6.0.5.txt14
2 files changed, 28 insertions, 0 deletions
diff --git a/docs/releases/5.2.14.txt b/docs/releases/5.2.14.txt
index 681687efb1..0722e80a95 100644
--- a/docs/releases/5.2.14.txt
+++ b/docs/releases/5.2.14.txt
@@ -5,3 +5,17 @@ Django 5.2.14 release notes
*May 5, 2026*
Django 5.2.14 fixes three security issues with severity "low" in 5.2.13.
+
+CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
+======================================================================================================
+
+ASGI requests with a missing or understated ``Content-Length`` header could
+bypass the :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading
+large files into memory and causing service degradation.
+
+As a reminder, Django :ref:`expects a limit to be configured
+<user-uploaded-content-security>` at the web server level rather than solely
+relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/6.0.5.txt b/docs/releases/6.0.5.txt
index 1e7e1b2c3b..8613b604fb 100644
--- a/docs/releases/6.0.5.txt
+++ b/docs/releases/6.0.5.txt
@@ -7,6 +7,20 @@ Django 6.0.5 release notes
Django 6.0.5 fixes three security issues with severity "low" and several bugs
in 6.0.4.
+CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass
+======================================================================================================
+
+ASGI requests with a missing or understated ``Content-Length`` header could
+bypass the :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading
+large files into memory and causing service degradation.
+
+As a reminder, Django :ref:`expects a limit to be configured
+<user-uploaded-content-security>` at the web server level rather than solely
+relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
Bugfixes
========