From b3e8ec8cc310489fe80174b14b11edb970d682ea Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Thu, 29 Jan 2026 22:52:41 -0300 Subject: [4.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection. This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main. --- docs/releases/4.2.29.txt | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'docs') diff --git a/docs/releases/4.2.29.txt b/docs/releases/4.2.29.txt index a3f3787cd6..b780264929 100644 --- a/docs/releases/4.2.29.txt +++ b/docs/releases/4.2.29.txt @@ -6,3 +6,25 @@ Django 4.2.29 release notes Django 4.2.29 fixes a security issue with severity "moderate" and a security issue with severity "low" in 4.2.28. + +CVE-2026-25673: Potential denial-of-service vulnerability in ``URLField`` via Unicode normalization on Windows +============================================================================================================== + +The :class:`~django.forms.URLField` form field's ``to_python()`` method used +:func:`~urllib.parse.urlsplit` to determine whether to prepend a URL scheme to +the submitted value. On Windows, ``urlsplit()`` performs +:func:`NFKC normalization `, which can be +disproportionately slow for large inputs containing certain characters. + +``URLField.to_python()`` now uses a simplified scheme detection, avoiding +Unicode normalization entirely and deferring URL validation to the appropriate +layers. As a result, while leading and trailing whitespace is still stripped by +default, characters such as newlines, tabs, and other control characters within +the value are no longer handled by ``URLField.to_python()``. When using the +default :class:`~django.core.validators.URLValidator`, these values will +continue to raise :exc:`~django.core.exceptions.ValidationError` during +validation, but if you rely on custom validators, ensure they do not depend on +the previous behavior of ``URLField.to_python()``. + +This issue has severity "moderate" according to the :ref:`Django security +policy `. -- cgit v1.3