[5.2.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ASGI requests.

The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.

This work adds a new check on the actual number of bytes consumed.

Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.

Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.

1 files changed, 11 insertions, 0 deletions

diff --git a/docs/releases/5.2.13.txt b/docs/releases/5.2.13.txt
index 46303da3c7..9b7ce3155a 100644
--- a/docs/releases/5.2.13.txt
+++ b/docs/releases/5.2.13.txt
@@ -56,3 +56,14 @@ may trigger repeated memory copying, potentially degrading performance.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
+=========================================================================================================
+
+ASGI requests with a missing or understated ``Content-Length`` header could
+bypass the :setting:`DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
+``HttpRequest.body``, potentially loading an unbounded request body into
+memory and causing service degradation.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.