CVE-2025-26699 – A denial-of-service vulnerability exists in Dja... (How to Fix)

Q: What is the severity of CVE-2025-26699?

CVE-2025-26699 has a CVSS score of 5.0 (MEDIUM). A denial-of-service vulnerability exists in Django's text wrapping functions when processing extremely long strings. Attackers can cause excessive CPU consumption by passing specially crafted input to django.utils.text.wrap() or the wordwrap template filter. This affects Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20.

📋 TL;DR

A denial-of-service vulnerability exists in Django's text wrapping functions when processing extremely long strings. Attackers can cause excessive CPU consumption by passing specially crafted input to django.utils.text.wrap() or the wordwrap template filter. This affects Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20.

💻 Affected Systems

Products:

Django

Versions: Django 5.1 before 5.1.7, Django 5.0 before 5.0.13, Django 4.2 before 4.2.20

Operating Systems: All operating systems running affected Django versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications using django.utils.text.wrap() or the wordwrap template filter are vulnerable. Many Django applications may not use these functions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially affecting multiple Django applications on the same server.

🟠

Likely Case

Degraded performance or temporary service disruption for affected endpoints until the malicious request times out or is terminated.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place.

🌐 Internet-Facing: MEDIUM - Public endpoints using vulnerable functions could be targeted, but exploitation requires specific conditions.

🏢 Internal Only: LOW - Internal applications are less likely to receive malicious input, though risk exists if untrusted users have access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a very long string to an endpoint that uses the vulnerable functions. No authentication needed if the endpoint is public.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 5.1.7, Django 5.0.13, Django 4.2.20

Vendor Advisory: https://www.djangoproject.com/weblog/2025/mar/06/security-releases/

Restart Required: Yes

Instructions:

1. Backup your Django project and database. 2. Update Django using pip: 'pip install Django==5.1.7' (or appropriate version). 3. Restart your Django application server (e.g., Gunicorn, uWSGI). 4. Test application functionality.

🔧 Temporary Workarounds

Input length validation

all

Add validation to limit string length before passing to wrap() or wordwrap filter.

Disable vulnerable functions

all

Replace usage of django.utils.text.wrap() and wordwrap template filter with alternative implementations.

🧯 If You Can't Patch

Implement strict input validation to reject strings longer than a reasonable threshold (e.g., 10,000 characters).
Deploy rate limiting and web application firewall rules to block requests with unusually long parameters.

🔍 How to Verify

Check if Vulnerable:

Check Django version: 'python -m django --version'. If version is 5.1.0-5.1.6, 5.0.0-5.0.12, or 4.2.0-4.2.19, you are vulnerable.

Check Version:

python -m django --version

Verify Fix Applied:

After updating, verify version shows 5.1.7, 5.0.13, or 4.2.20. Test endpoints that use text wrapping with long strings to ensure they handle input properly.

📡 Detection & Monitoring

Log Indicators:

Requests with extremely long parameter values
High CPU usage spikes on Django processes
Application timeouts or 500 errors

Network Indicators:

HTTP requests with parameters exceeding normal length thresholds

SIEM Query:

source="django" AND (message="Timeout" OR message="CPU" OR param_length>10000)

📊 Metadata

CVE ID: CVE-2025-26699

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

CWE: CWE-770

EPSS Score: 1.6% exploit probability (81.3th percentile)

Published: March 6, 2025

Last Updated: October 3, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Release Notes,Vendor Advisory
https://groups.google.com/g/django-announce Vendor Advisory
https://www.djangoproject.com/weblog/2025/mar/06/security-releases/ Release Notes,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/06/12 Mailing List
https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26699, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Django by Djangoproject

Django by Djangoproject

Django by Djangoproject

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input length validation

Disable vulnerable functions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities