summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorShai Berger <shai@platonix.com>2025-10-11 21:42:56 +0300
committerNatalia <124304+nessita@users.noreply.github.com>2025-12-02 09:24:55 -0300
commit1dbd07a608e495a0c229edaaf84d58d8976313b5 (patch)
tree0b4c94802ddd5546fbeaed2ad4db4232086730c7 /docs
parent56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0 (diff)
[6.0.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation in XML serializer.
Previously, `getInnerText()` recursively used `list.extend()` on strings, which added each character from child nodes as a separate list element. On deeply nested XML content, this caused the overall deserialization work to grow quadratically with input size, potentially allowing disproportionate CPU consumption for crafted XML. The fix separates collection of inner texts from joining them, so that each subtree is joined only once, reducing the complexity to linear in the size of the input. These changes also include a mitigation for a xml.dom.minidom performance issue. Thanks Seokchan Yoon (https://ch4n3.kr/) for report. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 50efb718b31333051bc2dcb06911b8fa1358c98c from main.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.27.txt10
-rw-r--r--docs/releases/5.1.15.txt10
-rw-r--r--docs/releases/5.2.9.txt10
-rw-r--r--docs/topics/serialization.txt2
4 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/4.2.27.txt b/docs/releases/4.2.27.txt
index e95dc63f74..b843f6a443 100644
--- a/docs/releases/4.2.27.txt
+++ b/docs/releases/4.2.27.txt
@@ -15,6 +15,16 @@ using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
PostgreSQL.
+CVE-2025-64460: Potential denial-of-service vulnerability in XML ``Deserializer``
+=================================================================================
+
+:ref:`XML Serialization <serialization-formats-xml>` was subject to a potential
+denial-of-service attack due to quadratic time complexity when deserializing
+crafted documents containing many nested invalid elements. The internal helper
+``django.core.serializers.xml_serializer.getInnerText()`` previously
+accumulated inner text inefficiently during recursion. It now collects text per
+element, avoiding excessive resource usage.
+
Bugfixes
========
diff --git a/docs/releases/5.1.15.txt b/docs/releases/5.1.15.txt
index f55623ea96..63ff22732e 100644
--- a/docs/releases/5.1.15.txt
+++ b/docs/releases/5.1.15.txt
@@ -15,6 +15,16 @@ using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
PostgreSQL.
+CVE-2025-64460: Potential denial-of-service vulnerability in XML ``Deserializer``
+=================================================================================
+
+:ref:`XML Serialization <serialization-formats-xml>` was subject to a potential
+denial-of-service attack due to quadratic time complexity when deserializing
+crafted documents containing many nested invalid elements. The internal helper
+``django.core.serializers.xml_serializer.getInnerText()`` previously
+accumulated inner text inefficiently during recursion. It now collects text per
+element, avoiding excessive resource usage.
+
Bugfixes
========
diff --git a/docs/releases/5.2.9.txt b/docs/releases/5.2.9.txt
index 08c298999a..ba235d05c6 100644
--- a/docs/releases/5.2.9.txt
+++ b/docs/releases/5.2.9.txt
@@ -15,6 +15,16 @@ using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to :meth:`.QuerySet.annotate` or :meth:`.QuerySet.alias` on
PostgreSQL.
+CVE-2025-64460: Potential denial-of-service vulnerability in XML ``Deserializer``
+=================================================================================
+
+:ref:`XML Serialization <serialization-formats-xml>` was subject to a potential
+denial-of-service attack due to quadratic time complexity when deserializing
+crafted documents containing many nested invalid elements. The internal helper
+``django.core.serializers.xml_serializer.getInnerText()`` previously
+accumulated inner text inefficiently during recursion. It now collects text per
+element, avoiding excessive resource usage.
+
Bugfixes
========
diff --git a/docs/topics/serialization.txt b/docs/topics/serialization.txt
index e8a3d322dd..a4643e46ec 100644
--- a/docs/topics/serialization.txt
+++ b/docs/topics/serialization.txt
@@ -173,6 +173,8 @@ Identifier Information
.. _jsonl: https://jsonlines.org/
.. _PyYAML: https://pyyaml.org/
+.. _serialization-formats-xml:
+
XML
---