CVE-2025-64458 – A denial-of-service vulnerability exists in Dja... (How to Fix)

Q: What is the severity of CVE-2025-64458?

CVE-2025-64458 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability exists in Django's redirect functions due to inefficient NFKC Unicode normalization on Windows. Attackers can crash Django applications by sending requests with large Unicode payloads to redirect endpoints. This affects Django 5.1 before 5.1.14, 4.2 before 4.2.26, 5.2 before 5.2.8, and potentially earlier unsupported versions.

📋 TL;DR

A denial-of-service vulnerability exists in Django's redirect functions due to inefficient NFKC Unicode normalization on Windows. Attackers can crash Django applications by sending requests with large Unicode payloads to redirect endpoints. This affects Django 5.1 before 5.1.14, 4.2 before 4.2.26, 5.2 before 5.2.8, and potentially earlier unsupported versions.

💻 Affected Systems

Products:

Django

Versions: 5.1 before 5.1.14, 4.2 before 4.2.26, 5.2 before 5.2.8. Earlier unsupported versions (5.0.x, 4.1.x, 3.2.x) may also be affected.

Operating Systems: Windows (primary impact), potentially other OS with similar normalization behavior

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using HttpResponseRedirect, HttpResponsePermanentRedirect, or django.shortcuts.redirect functions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to resource exhaustion, requiring service restart and causing extended downtime.

🟠

Likely Case

Temporary service degradation or crashes affecting redirect functionality, impacting user experience.

🟢

If Mitigated

Minimal impact with proper rate limiting, input validation, and monitoring in place.

🌐 Internet-Facing: HIGH - Public endpoints using redirect functions are directly exposed to attack.

🏢 Internal Only: MEDIUM - Internal applications still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires crafting requests with large Unicode payloads to redirect endpoints. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 5.1.14, 4.2.26, 5.2.8

Vendor Advisory: https://docs.djangoproject.com/en/dev/releases/security/

Restart Required: Yes

Instructions:

1. Backup your Django application. 2. Update Django using pip: 'pip install Django==5.1.14' (or appropriate version). 3. Restart your Django application server. 4. Test redirect functionality.

🔧 Temporary Workarounds

Rate Limiting

all

Implement rate limiting on redirect endpoints to prevent DoS attacks.

Input Validation

all

Add middleware to validate and limit Unicode character length in request parameters.

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block requests with excessive Unicode characters.
Monitor redirect endpoints for abnormal request patterns and implement alerting.

🔍 How to Verify

Check if Vulnerable:

Check Django version and if using affected redirect functions. Review code for HttpResponseRedirect, HttpResponsePermanentRedirect, or django.shortcuts.redirect usage.

Check Version:

python -m django --version

Verify Fix Applied:

After patching, test redirect endpoints with normal Unicode inputs to ensure functionality. Verify Django version is patched.

📡 Detection & Monitoring

Log Indicators:

Multiple requests with large Unicode strings to redirect endpoints
Increased CPU/memory usage on Django servers
Application crashes or restarts

Network Indicators:

HTTP requests with abnormally long Unicode parameters
High volume of requests to redirect endpoints

SIEM Query:

source="django.logs" AND (uri_path="*redirect*" OR message="*Unicode*") AND bytes_received>10000

📊 Metadata

CVE ID: CVE-2025-64458

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-407

EPSS Score: 0.03% exploit probability (6.5th percentile)

Published: November 5, 2025

Last Updated: November 10, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory
https://groups.google.com/g/django-announce Mailing List
https://www.djangoproject.com/weblog/2025/nov/05/security-releases/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64458, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Django by Djangoproject

Django by Djangoproject

Django by Djangoproject

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Rate Limiting

Input Validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities