From 5a89e341bfc77dd67b7fd57b7091b6430558e1f4 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Tue, 24 Mar 2026 15:53:27 -0400 Subject: Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in MemoryFileUploadHandler on ASGI. In ASGI deployments, Content-Length is not guaranteed to reflect the actual request body size, so relying on it to gate memory allocation allowed the limit to be bypassed. The handler now enforces DATA_UPLOAD_MAX_MEMORY_SIZE regardless of the declared header value. Thanks to Kyle Agronick for the report. Refs #35289. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> --- docs/releases/5.2.14.txt | 14 ++++++++++++++ docs/releases/6.0.5.txt | 14 ++++++++++++++ 2 files changed, 28 insertions(+) (limited to 'docs') diff --git a/docs/releases/5.2.14.txt b/docs/releases/5.2.14.txt index 681687efb1..0722e80a95 100644 --- a/docs/releases/5.2.14.txt +++ b/docs/releases/5.2.14.txt @@ -5,3 +5,17 @@ Django 5.2.14 release notes *May 5, 2026* Django 5.2.14 fixes three security issues with severity "low" in 5.2.13. + +CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass +====================================================================================================== + +ASGI requests with a missing or understated ``Content-Length`` header could +bypass the :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading +large files into memory and causing service degradation. + +As a reminder, Django :ref:`expects a limit to be configured +` at the web server level rather than solely +relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. + +This issue has severity "low" according to the :ref:`Django security policy +`. diff --git a/docs/releases/6.0.5.txt b/docs/releases/6.0.5.txt index 1e7e1b2c3b..8613b604fb 100644 --- a/docs/releases/6.0.5.txt +++ b/docs/releases/6.0.5.txt @@ -7,6 +7,20 @@ Django 6.0.5 release notes Django 6.0.5 fixes three security issues with severity "low" and several bugs in 6.0.4. +CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass +====================================================================================================== + +ASGI requests with a missing or understated ``Content-Length`` header could +bypass the :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading +large files into memory and causing service degradation. + +As a reminder, Django :ref:`expects a limit to be configured +` at the web server level rather than solely +relying on :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`. + +This issue has severity "low" according to the :ref:`Django security policy +`. + Bugfixes ======== -- cgit v1.3