CVE-2022-41323
Published: 16 October 2022
Summary
CVE-2022-41323 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-41323 affects Django versions 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2. The flaw resides in the handling of internationalized URLs, where the locale parameter is processed as a regular expression without sufficient safeguards, enabling a potential denial-of-service condition that can exhaust server resources and impact availability.
An unauthenticated remote attacker can supply a crafted locale value in a request to trigger catastrophic backtracking in the regular expression engine. This leads to high CPU consumption on the target server without requiring authentication or user interaction, resulting in service degradation or outage for affected Django deployments that use i18n URL patterns.
Official Django security releases and announcements direct users to upgrade immediately to the patched versions 3.2.16, 4.0.8, or 4.1.2. The referenced commit and package advisories for Fedora confirm that the fix restricts locale handling to prevent untrusted input from being interpreted as a regular expression.
The EPSS score has remained flat at its peak value of 0.1633 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0094
Vulnerability details
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.