From f578acc8c54530fffabd52d2db654c8669b011af Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Wed, 14 Jan 2026 15:25:45 +0000 Subject: [4.2.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests. Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews. Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main. --- docs/releases/4.2.28.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'docs') diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt index 9f6d5cb152..67d398308c 100644 --- a/docs/releases/4.2.28.txt +++ b/docs/releases/4.2.28.txt @@ -17,3 +17,15 @@ allowed remote attackers to enumerate users via a timing attack. This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI +============================================================================================== + +When receiving duplicates of a single header, ``ASGIRequest`` allowed a remote +attacker to cause a potential denial-of-service via a specifically created +request with multiple duplicate headers. The vulnerability resulted from +repeated string concatenation while combining repeated headers, which +produced super-linear computation resulting in service degradation or outage. + +This issue has severity "moderate" according to the :ref:`Django security +policy `. -- cgit v1.3