CVE-2024-39614 – This vulnerability in Django's get_supported

Q: What is the severity of CVE-2024-39614?

CVE-2024-39614 has a CVSS score of 7.5 (HIGH). This vulnerability in Django's get_supported_language_variant() function allows attackers to cause denial-of-service by sending very long strings with specific characters. It affects Django applications using this function for language handling. Django 5.0 before 5.0.7 and 4.2 before 4.2.14 are vulnerable.

📋 TL;DR

This vulnerability in Django's get_supported_language_variant() function allows attackers to cause denial-of-service by sending very long strings with specific characters. It affects Django applications using this function for language handling. Django 5.0 before 5.0.7 and 4.2 before 4.2.14 are vulnerable.

💻 Affected Systems

Products:

Django

Versions: Django 5.0.x before 5.0.7, Django 4.2.x before 4.2.14

Operating Systems: All operating systems running Django

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using get_supported_language_variant() function. Django installations with language handling features are most vulnerable.

📦 What is this software?

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially affecting all users of the Django application.

🟠

Likely Case

Degraded performance or temporary service disruption affecting specific endpoints using language variant functionality.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH - Public-facing Django applications are directly exposed to attack vectors.

🏢 Internal Only: MEDIUM - Internal applications could still be targeted by authenticated users or through other attack paths.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted long strings to endpoints using the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 5.0.7 or 4.2.14

Vendor Advisory: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

Restart Required: Yes

Instructions:

1. Backup your Django project. 2. Update Django using pip: 'pip install Django==5.0.7' or 'pip install Django==4.2.14'. 3. Restart your Django application server. 4. Verify the update with 'python -m django --version'.

🔧 Temporary Workarounds

Input Length Limitation

all

Implement request size limits and input validation to restrict long strings.

# In Django settings or middleware, implement request size limits
# Example using Django middleware or web server configuration

Disable Vulnerable Function

all

Avoid using get_supported_language_variant() if not essential for your application.

# Review codebase for usage of get_supported_language_variant()
# Replace with alternative language handling if possible

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests with very long strings containing suspicious patterns.
Monitor application performance metrics and logs for unusual resource consumption patterns.

🔍 How to Verify

Check if Vulnerable:

Check Django version with 'python -m django --version'. If version is 5.0.0-5.0.6 or 4.2.0-4.2.13, you are vulnerable.

Check Version:

python -m django --version

Verify Fix Applied:

After patching, verify version shows 5.0.7 or 4.2.14. Test language handling functionality works normally.

📡 Detection & Monitoring

Log Indicators:

Unusually long request strings in access logs
High CPU/memory usage spikes in system logs
Error logs related to language handling functions

Network Indicators:

Large HTTP requests to language-related endpoints
Repeated requests with similar long string patterns

SIEM Query:

source="django_access.log" AND (request_length>10000 OR uri CONTAINS "language" OR uri CONTAINS "locale")

📊 Metadata

CVE ID: CVE-2024-39614

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-130

Published: July 10, 2024

Last Updated: November 4, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce Permissions Required
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ Vendor Advisory
https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce Permissions Required
https://security.netapp.com/advisory/ntap-20240808-0005/
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39614, you might also want to check these: