CVE-2025-14550
📋 TL;DR
This vulnerability in Django's ASGIRequest component allows remote attackers to cause denial-of-service by sending crafted requests with multiple duplicate headers. It affects Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, potentially impacting earlier unsupported series as well.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion from crafted requests overwhelming the server.
Likely Case
Degraded performance or intermittent service disruptions from repeated exploitation attempts.
If Mitigated
Minimal impact with proper rate limiting, request filtering, and updated Django versions.
🎯 Exploit Status
Exploitation requires sending HTTP requests with duplicate headers, which is trivial to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.2, 5.2.11, 4.2.28
Vendor Advisory: https://docs.djangoproject.com/en/dev/releases/security/
Restart Required: Yes
Instructions:
1. Check current Django version with 'python -m django --version'. 2. Upgrade to patched version: 'pip install --upgrade django==6.0.2' (or appropriate version). 3. Restart Django application server.
🔧 Temporary Workarounds
Request Header Filtering
allConfigure web server or WAF to reject requests with duplicate headers before reaching Django.
# Example nginx config: map $http_connection $duplicate_header { default 0; ~*duplicate 1; } if ($duplicate_header) { return 444; }
Rate Limiting
allImplement rate limiting to prevent mass exploitation attempts.
# Django settings: RATE_LIMIT = '100/hour'
# Or use middleware like django-ratelimit
🧯 If You Can't Patch
- Deploy web application firewall (WAF) with rules to block requests containing duplicate headers.
- Implement reverse proxy with request sanitization to filter malicious headers before reaching Django.
🔍 How to Verify
Check if Vulnerable:
Check Django version: if using 6.0.x < 6.0.2, 5.2.x < 5.2.11, or 4.2.x < 4.2.28, system is vulnerable.Check Version:
python -m django --versionVerify Fix Applied:
After upgrade, verify version is 6.0.2, 5.2.11, or 4.2.28 or higher using 'python -m django --version'.📡 Detection & Monitoring
Log Indicators:
- Multiple requests with identical headers from single IP
- Unusual spike in request processing time
- Error logs showing request parsing failures
Network Indicators:
- HTTP requests containing duplicate header fields
- Abnormal request patterns from single sources
SIEM Query:
source="django" AND (message="ASGIRequest" OR message="header") AND status>=400 | stats count by src_ip