diff options
| author | Jake Howard <git@theorangeone.net> | 2026-01-14 15:25:45 +0000 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 08:13:57 -0500 |
| commit | 1ba90069c12836db46981bdf75b0e661db5849ce (patch) | |
| tree | 73ab0542261f7709aa08f8dd317b55a10d8ccdae /docs/releases | |
| parent | 184e38ab0a061c365f5775676a074796d8abd02f (diff) | |
[5.2.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main.
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/4.2.28.txt | 12 | ||||
| -rw-r--r-- | docs/releases/5.2.11.txt | 12 |
2 files changed, 24 insertions, 0 deletions
diff --git a/docs/releases/4.2.28.txt b/docs/releases/4.2.28.txt index 9f6d5cb152..67d398308c 100644 --- a/docs/releases/4.2.28.txt +++ b/docs/releases/4.2.28.txt @@ -17,3 +17,15 @@ allowed remote attackers to enumerate users via a timing attack. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI +============================================================================================== + +When receiving duplicates of a single header, ``ASGIRequest`` allowed a remote +attacker to cause a potential denial-of-service via a specifically created +request with multiple duplicate headers. The vulnerability resulted from +repeated string concatenation while combining repeated headers, which +produced super-linear computation resulting in service degradation or outage. + +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`. diff --git a/docs/releases/5.2.11.txt b/docs/releases/5.2.11.txt index f975e45166..1e5187d7ec 100644 --- a/docs/releases/5.2.11.txt +++ b/docs/releases/5.2.11.txt @@ -17,3 +17,15 @@ allowed remote attackers to enumerate users via a timing attack. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2025-14550: Potential denial-of-service vulnerability via repeated headers when using ASGI +============================================================================================== + +When receiving duplicates of a single header, ``ASGIRequest`` allowed a remote +attacker to cause a potential denial-of-service via a specifically created +request with multiple duplicate headers. The vulnerability resulted from +repeated string concatenation while combining repeated headers, which +produced super-linear computation resulting in service degradation or outage. + +This issue has severity "moderate" according to the :ref:`Django security +policy <security-disclosure>`. |