Login Sign Up

CVE-2021-33571

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass IP-based access controls in Django applications by using leading zeros in IPv4 addresses (octal notation). Affected systems include Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, where URLValidator and IP validation functions don't properly reject octal-formatted IP addresses.

💻 Affected Systems

Products:
  • Django
Versions: Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4
Operating Systems: All operating systems running affected Django versions
Default Config Vulnerable: ⚠️ Yes
Notes: validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+. The vulnerability affects URLValidator and related validation functions.

📦 What is this software?

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of IP-based access controls, allowing unauthorized access to restricted administrative interfaces, API endpoints, or sensitive data.

🟠

Likely Case

Partial access control bypass where attackers can reach endpoints intended only for specific IP ranges by using alternative IP representations.

🟢

If Mitigated

Minimal impact if additional authentication layers exist beyond IP-based controls.

🌐 Internet-Facing: HIGH - Internet-facing Django applications with IP-based restrictions are directly vulnerable to bypass attempts.
🏢 Internal Only: MEDIUM - Internal applications may still be vulnerable if attackers gain internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires knowledge of IP-based restrictions and can be performed by simply using octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 2.2.24, 3.1.12, or 3.2.4

Vendor Advisory: https://docs.djangoproject.com/en/3.2/releases/security/

Restart Required: Yes

Instructions:

1. Upgrade Django to version 2.2.24, 3.1.12, or 3.2.4 depending on your major version. 2. Update requirements.txt or pip install: 'pip install Django==3.2.4' (adjust version). 3. Restart your Django application server.

🔧 Temporary Workarounds

Custom IP Validation Middleware

all

Implement custom middleware to strip leading zeros from IP addresses before validation

Create middleware file with IP normalization logic
Add to MIDDLEWARE setting in settings.py

Python 3.9.5+ Upgrade

linux

Upgrade to Python 3.9.5 or later which fixes the underlying Python issue for validate_ipv4_address and validate_ipv46_address

sudo apt-get install python3.9
python3.9 -m pip install Django

🧯 If You Can't Patch

  • Implement additional authentication layers beyond IP-based controls
  • Use web application firewall (WAF) rules to block requests with octal IP notation

🔍 How to Verify

Check if Vulnerable:

Check Django version: 'python -m django --version'. If version is 2.2 (<2.2.24), 3.1 (<3.1.12), or 3.2 (<3.2.4), you are vulnerable.

Check Version:

python -m django --version

Verify Fix Applied:

After upgrade, test with octal IP addresses in URLValidator to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Requests with IP addresses containing leading zeros (e.g., 0177.0.0.1)
  • Access to restricted endpoints from unexpected IP ranges

Network Indicators:

  • HTTP requests with octal-formatted IP addresses in headers or parameters

SIEM Query:

source_ip:"0[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" OR http_user_agent:"0[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"

📊 Metadata

CVE ID: CVE-2021-33571
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-918
Published: June 8, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33571, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)