CVE-2025-13473
📋 TL;DR
This vulnerability in Django's mod_wsgi authentication handler allows attackers to determine valid usernames via timing attacks by measuring response time differences. It affects Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, as well as potentially earlier unsupported versions. Organizations using Django with mod_wsgi authentication are at risk.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers can enumerate valid usernames, enabling targeted credential stuffing attacks and facilitating account takeover attempts.
Likely Case
Attackers discover valid usernames, increasing risk of successful brute-force attacks against those accounts.
If Mitigated
With rate limiting and strong password policies, impact is limited to username disclosure without credential compromise.
🎯 Exploit Status
Timing attacks are well-understood and relatively easy to implement with network access to the target.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.2, 5.2.11, 4.2.28
Vendor Advisory: https://docs.djangoproject.com/en/dev/releases/security/
Restart Required: Yes
Instructions:
1. Upgrade Django to patched version: pip install --upgrade django==[version]. 2. Restart your WSGI server (e.g., Apache with mod_wsgi). 3. Verify the update with python -m django --version.
🔧 Temporary Workarounds
Disable mod_wsgi authentication handler
allSwitch to alternative authentication methods not using the vulnerable check_password() function.
Implement request rate limiting
allAdd rate limiting to authentication endpoints to make timing attacks impractical.
🧯 If You Can't Patch
- Implement network-level rate limiting and monitoring for authentication attempts
- Use Web Application Firewall (WAF) rules to detect and block timing attack patterns
🔍 How to Verify
Check if Vulnerable:
Check Django version and if using mod_wsgi authentication: python -c "import django; print(django.VERSION)" and review authentication configuration.Check Version:
python -m django --versionVerify Fix Applied:
Confirm Django version is 6.0.2, 5.2.11, 4.2.28 or higher: python -m django --version📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of authentication requests with consistent timing intervals
- Multiple failed login attempts for non-existent usernames
Network Indicators:
- High volume of authentication requests to mod_wsgi endpoints with precise timing
SIEM Query:
source="auth.log" OR source="application.log" | search "authentication" AND "failed" | stats count by src_ip, user | where count > threshold