Login Sign Up

CVE-2020-15225

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in django-filter allows attackers to cause denial-of-service (DoS) by sending specially crafted exponential number inputs to NumberFilter instances. When malicious users input numbers with extremely large exponents, the conversion to integers can consume excessive system resources, potentially crashing the application. All Django applications using django-filter's automatically generated NumberFilter instances are affected.

💻 Affected Systems

Products:
  • django-filter
Versions: All versions before 2.4.0
Operating Systems: All operating systems running Django with django-filter
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects automatically generated NumberFilter instances where values are converted to integers. Custom filters may not be vulnerable.

📦 What is this software?

Django Filter by Django Filter Project

View all CVEs affecting Django Filter →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application becomes completely unresponsive or crashes due to resource exhaustion, leading to extended downtime and service disruption.

🟠

Likely Case

Degraded application performance, increased response times, and potential temporary unavailability under attack.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH - Web applications with public-facing forms using NumberFilter are directly exposed to malicious input.
🏢 Internal Only: MEDIUM - Internal applications could still be targeted by authenticated malicious users or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only sending specially formatted numeric input to vulnerable endpoints. The advisory includes example payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.0 and later

Vendor Advisory: https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973

Restart Required: Yes

Instructions:

1. Upgrade django-filter to version 2.4.0 or later using pip: 'pip install django-filter>=2.4.0'. 2. Restart your Django application. 3. Test that NumberFilter functionality still works as expected.

🔧 Temporary Workarounds

Apply MaxValueValidator manually

all

Manually add MaxValueValidator with limit_value=1e50 to NumberFilter form fields if unable to upgrade immediately.

from django.core.validators import MaxValueValidator
class YourFilter(django_filters.FilterSet):
    your_field = django_filters.NumberFilter(validators=[MaxValueValidator(1e50)])

🧯 If You Can't Patch

  • Implement WAF rules to block exponential notation inputs with large exponents
  • Add rate limiting to filter endpoints to reduce impact of DoS attempts

🔍 How to Verify

Check if Vulnerable:

Check django-filter version: 'pip show django-filter' or examine requirements.txt. If version < 2.4.0, you are vulnerable.

Check Version:

python -c "import django_filters; print(django_filters.__version__)"

Verify Fix Applied:

After upgrade, verify version is >= 2.4.0 and test that NumberFilter accepts normal inputs but rejects extremely large exponential values.

📡 Detection & Monitoring

Log Indicators:

  • Unusually long processing times for filter requests
  • High CPU/memory usage spikes from Django processes
  • Requests with exponential notation (e.g., '1e1000') in query parameters

Network Indicators:

  • Multiple rapid requests to filter endpoints with numeric parameters
  • Traffic patterns showing repeated attempts with varying exponential inputs

SIEM Query:

source="django.log" AND ("NumberFilter" OR "filter") AND ("1e" OR "e+") AND duration>5s

📊 Metadata

CVE ID: CVE-2020-15225
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-681
Published: April 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15225, you might also want to check these:

CVE-2021-36357 9.8

This vulnerability in OpenPOWER firmware allows attackers to bypass timestamp validation checks due ...

Same vulnerability type (CWE-681)
CVE-2021-38187 9.8

This vulnerability in the anymap Rust crate allows memory corruption through unsound pointer convers...

Same vulnerability type (CWE-681)
CVE-2021-23997 8.8

This vulnerability in Mozilla Firefox involves a use-after-free condition in the font cache due to u...

Same vulnerability type (CWE-681)