CVE-2023-41164
📋 TL;DR
This vulnerability in Django's uri_to_iri() function allows attackers to cause denial of service by sending requests with extremely large Unicode strings that trigger excessive resource consumption. It affects Django applications using the vulnerable function for URL processing. Organizations running affected Django versions with internet-facing applications are at risk.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, potentially affecting all users of the Django application.
Likely Case
Degraded performance or temporary service disruption for targeted endpoints using uri_to_iri() processing.
If Mitigated
Minimal impact with proper input validation, rate limiting, and resource monitoring in place.
🎯 Exploit Status
Attack requires sending specially crafted requests with large Unicode payloads to endpoints using uri_to_iri().
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Django 3.2.21, 4.1.11, or 4.2.5
Vendor Advisory: https://docs.djangoproject.com/en/4.2/releases/security/
Restart Required: Yes
Instructions:
1. Identify Django version: python -m django --version
2. Upgrade using pip: pip install --upgrade Django==3.2.21 (or 4.1.11/4.2.5)
3. Restart Django application services
4. Test application functionality
🔧 Temporary Workarounds
Input Length Validation
allImplement middleware or view decorators to reject requests with excessively long Unicode strings before they reach uri_to_iri().
Rate Limiting
allConfigure rate limiting on endpoints using uri_to_iri() to prevent mass exploitation attempts.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block requests with excessive Unicode content
- Monitor system resources and set alerts for abnormal memory/CPU usage patterns
🔍 How to Verify
Check if Vulnerable:
Check Django version: python -c "import django; print(django.get_version())" and compare against affected versions.Check Version:
python -c "import django; print(django.get_version())"Verify Fix Applied:
Confirm version is 3.2.21, 4.1.11, 4.2.5 or higher using same version check command.📡 Detection & Monitoring
Log Indicators:
- Requests with unusually long Unicode strings in URLs
- Increased memory/CPU usage on Django workers
- Slow response times on URL processing endpoints
Network Indicators:
- HTTP requests with extremely long URL parameters containing Unicode
- Multiple rapid requests to same endpoint with varying Unicode payloads
SIEM Query:
source="django" AND (url_length>10000 OR message="MemoryError" OR message="Timeout")🔗 References
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://security.netapp.com/advisory/ntap-20231214-0002/
- https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://security.netapp.com/advisory/ntap-20231214-0002/
- https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
