From 0910af60468216c856dfbcac1177372c225deb76 Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:41:44 -0300 Subject: [6.0.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser. When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main. --- docs/releases/4.2.30.txt | 10 ++++++++++ docs/releases/5.2.13.txt | 10 ++++++++++ docs/releases/6.0.4.txt | 10 ++++++++++ 3 files changed, 30 insertions(+) (limited to 'docs') diff --git a/docs/releases/4.2.30.txt b/docs/releases/4.2.30.txt index de19a6f08f..c5058d9b84 100644 --- a/docs/releases/4.2.30.txt +++ b/docs/releases/4.2.30.txt @@ -46,3 +46,13 @@ instances to be created via forged ``POST`` data. This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2026-33033: Potential denial-of-service vulnerability in ``MultiPartParser`` via base64-encoded file upload +=============================================================================================================== + +When using ``django.http.multipartparser.MultiPartParser``, multipart uploads +with ``Content-Transfer-Encoding: base64`` that include excessive whitespace +may trigger repeated memory copying, potentially degrading performance. + +This issue has severity "moderate" according to the :ref:`Django security +policy `. diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt index 8b303f2700..46303da3c7 100644 --- a/docs/releases/5.2.13.txt +++ b/docs/releases/5.2.13.txt @@ -46,3 +46,13 @@ instances to be created via forged ``POST`` data. This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2026-33033: Potential denial-of-service vulnerability in ``MultiPartParser`` via base64-encoded file upload +=============================================================================================================== + +When using ``django.http.multipartparser.MultiPartParser``, multipart uploads +with ``Content-Transfer-Encoding: base64`` that include excessive whitespace +may trigger repeated memory copying, potentially degrading performance. + +This issue has severity "moderate" according to the :ref:`Django security +policy `. diff --git a/docs/releases/6.0.4.txt b/docs/releases/6.0.4.txt index 4287a3086a..6452768f2a 100644 --- a/docs/releases/6.0.4.txt +++ b/docs/releases/6.0.4.txt @@ -47,6 +47,16 @@ instances to be created via forged ``POST`` data. This issue has severity "low" according to the :ref:`Django security policy `. +CVE-2026-33033: Potential denial-of-service vulnerability in ``MultiPartParser`` via base64-encoded file upload +=============================================================================================================== + +When using ``django.http.multipartparser.MultiPartParser``, multipart uploads +with ``Content-Transfer-Encoding: base64`` that include excessive whitespace +may trigger repeated memory copying, potentially degrading performance. + +This issue has severity "moderate" according to the :ref:`Django security +policy `. + Bugfixes ======== -- cgit v1.3