Cyber Resilience

CVE-2022-41323

High

Published: 16 October 2022

Published
16 October 2022
Modified
14 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1633 95.0th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41323 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-41323 affects Django versions 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2. The flaw resides in the handling of internationalized URLs, where the locale parameter is processed as a regular expression without sufficient safeguards, enabling a potential denial-of-service condition that can exhaust server resources and impact availability.

An unauthenticated remote attacker can supply a crafted locale value in a request to trigger catastrophic backtracking in the regular expression engine. This leads to high CPU consumption on the target server without requiring authentication or user interaction, resulting in service degradation or outage for affected Django deployments that use i18n URL patterns.

Official Django security releases and announcements direct users to upgrade immediately to the patched versions 3.2.16, 4.0.8, or 4.1.2. The referenced commit and package advisories for Fedora confirm that the fix restricts locale handling to prevent untrusted input from being interpreted as a regular expression.

The EPSS score has remained flat at its peak value of 0.1633 with no material increase after disclosure.

EU & UK References

Vulnerability details

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

djangoproject
django
3.2 — 3.2.16 · 4.0 — 4.0.8 · 4.1 — 4.1.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References