[4.2.x] Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.

Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Backport of c880530ddd4fabd5939bab0e148bebe36699432a from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-10-16 16:28:33 -0400
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-11-05 09:52:56 -0300
commit: 770eea38d7a0e9ba9455140b5a9a9e33618226a7 (patch)
tree: ad731e4465db6a4ee3f88c609612ce0aa473ea9a /docs
parent: 80976bd89e9e1fdfb98c4d902ca4dc59bd3d1d46 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt
index e0db257c04..ae274c3361 100644
--- a/docs/releases/4.2.26.txt
+++ b/docs/releases/4.2.26.txt
@@ -7,4 +7,12 @@ Django 4.2.26 release notes
 Django 4.2.26 fixes one security issue with severity "high" and one security
 issue with severity "moderate" in 4.2.25.
 
-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-10-16 16:28:33 -0400
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-11-05 09:52:56 -0300
commit	770eea38d7a0e9ba9455140b5a9a9e33618226a7 (patch)
tree	ad731e4465db6a4ee3f88c609612ce0aa473ea9a /docs
parent	80976bd89e9e1fdfb98c4d902ca4dc59bd3d1d46 (diff)