Login Sign Up

CVE-2025-64460

7.5 HIGH
Denial of Service Deserialization

📋 TL;DR

A denial-of-service vulnerability in Django's XML deserializer allows remote attackers to cause CPU and memory exhaustion via specially crafted XML input. This affects Django versions 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27, potentially impacting any Django application that processes XML input.

💻 Affected Systems

Products:
  • Django
Versions: 5.2 before 5.2.9, 5.1 before 5.1.15, 4.2 before 4.2.27
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Earlier unsupported Django series (5.0.x, 4.1.x, 3.2.x) may also be affected but were not evaluated.

📦 What is this software?

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially requiring server restart and causing extended downtime.

🟠

Likely Case

Degraded performance and intermittent service disruptions affecting application availability.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH - Remote attackers can exploit this without authentication via XML input endpoints.
🏢 Internal Only: MEDIUM - Internal users could still exploit, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires sending specially crafted XML to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.9, 5.1.15, 4.2.27

Vendor Advisory: https://docs.djangoproject.com/en/dev/releases/security/

Restart Required: Yes

Instructions:

1. Update Django using pip: 'pip install --upgrade Django==5.2.9' (or appropriate version). 2. Restart your Django application server. 3. Test XML processing functionality.

🔧 Temporary Workarounds

Disable XML Deserializer

all

Remove or disable XML deserialization endpoints if not required.

Implement XML Input Limits

linux

Configure web server or application to limit XML input size and processing time.

nginx: client_max_body_size 1M;
uwsgi: limit-post 1048576

🧯 If You Can't Patch

  • Implement strict XML input validation and size limits at the application level.
  • Use web application firewall (WAF) rules to block or limit XML payloads.

🔍 How to Verify

Check if Vulnerable:

Check Django version: 'python -m django --version' or inspect requirements.txt/pip freeze.

Check Version:

python -m django --version

Verify Fix Applied:

Confirm Django version is 5.2.9, 5.1.15, or 4.2.27 or higher.

📡 Detection & Monitoring

Log Indicators:

  • High CPU/memory usage spikes
  • XML parsing errors or timeouts
  • Large XML payloads in request logs

Network Indicators:

  • Unusually large XML requests
  • Repeated XML requests to deserialization endpoints

SIEM Query:

source="web_logs" AND (request_body_size>1048576 OR uri_path="*deserialize*" OR content_type="application/xml")

📊 Metadata

CVE ID: CVE-2025-64460
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-407
EPSS Score: 0.06% exploit probability (19.5th percentile)
Published: December 2, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64460, you might also want to check these:

CVE-2025-64458 7.5

A denial-of-service vulnerability exists in Django's redirect functions due to inefficient NFKC Unic...

Same vulnerability type (CWE-407)
CVE-2023-38285 7.5

CVE-2023-38285 is a denial-of-service vulnerability in Trustwave ModSecurity 3.x caused by inefficie...

Same vulnerability type (CWE-407)
CVE-2024-9631 7.5

This vulnerability in GitLab CE/EE causes performance degradation when viewing diffs of merge reques...

Same vulnerability type (CWE-407)