Refs CVE-2026-33034 -- Improved security documentation on handling large request bodies.

Notably that the limit can be bypassed under ASGI.

2 files changed, 24 insertions, 8 deletions

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 320ec7f83e..cca7b18f24 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -1037,14 +1037,19 @@ The maximum size in bytes that a request body may be before a
 :exc:`~django.core.exceptions.SuspiciousOperation` (``RequestDataTooBig``) is
 raised. The check is done when accessing ``request.body`` or ``request.POST``
 and is calculated against the total request size excluding any file upload
-data. You can set this to ``None`` to disable the check. Applications that are
-expected to receive unusually large form posts should tune this setting.
+data (``request.FILES``). You can set this to ``None`` to disable the check.
+Applications that are expected to receive unusually large form posts should
+tune this setting.
 
-The amount of request data is correlated to the amount of memory needed to
-process the request and populate the GET and POST dictionaries. Large requests
-could be used as a denial-of-service attack vector if left unchecked. Since web
-servers don't typically perform deep request inspection, it's not possible to
-perform a similar check at that level.
+Under ASGI, the entire request may be spooled to disk before this limit is
+enforced. Therefore, it is strongly recommended to place additional protections
+in front of Django which limit the entire request payload.
+
+The amount of request data is correlated to the amount of memory or storage
+needed to process the request and populate the GET and POST dictionaries.
+Large requests could be used as a denial-of-service attack vector if left
+unchecked. Since web servers don't typically perform deep request inspection,
+it's not possible to perform a similar check at that level.
 
 See also :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`.
 
diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index 2e828db0ab..ea3021c26d 100644
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -253,7 +253,9 @@ User-uploaded content
 * If your site accepts file uploads, it is strongly advised that you limit
   these uploads in your web server configuration to a reasonable
   size in order to prevent denial of service (DOS) attacks. In Apache, this
-  can be easily set using the LimitRequestBody_ directive.
+  can be easily set using the LimitRequestBody_ directive. You should not rely
+  solely on :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE`
+  nor :setting:`FILE_UPLOAD_MAX_MEMORY_SIZE`.
 
 * If you are serving your own static files, be sure that handlers like Apache's
   ``mod_php``, which would execute static files as code, are disabled. You
@@ -287,6 +289,15 @@ User-uploaded content
 
 .. _same-origin policy: https://en.wikipedia.org/wiki/Same-origin_policy
 
+Form Submissions
+================
+
+* Form submissions containing files are not limited by
+  :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE`. Under ASGI, the entire request may be
+  spooled to disk before any file size validation is performed. It is strongly
+  advised that you limit the maximum request body size in your web server
+  configuration to prevent denial of service (DOS) attacks.
+
 .. _security-csp:
 
 Content Security Policy