CVE-2023-36053
Published: 03 July 2023
Summary
CVE-2023-36053 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-36053 affects Django versions 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3. The flaw resides in the EmailValidator and URLValidator classes, which rely on regular expressions that can be forced into catastrophic backtracking when presented with input containing an extremely large number of domain-name labels.
An unauthenticated remote attacker can supply a maliciously crafted email address or URL containing thousands of labels in the domain portion. Because the vulnerable validators perform no length or complexity checks before matching, processing such input consumes excessive CPU time and can render the validating application unresponsive, achieving a denial-of-service condition without any authentication or user interaction.
Official Django security advisories and downstream distribution notices direct users to upgrade immediately to 3.2.20, 4.1.10, or 4.2.3 or later; these releases contain revised validators that limit label count and avoid the expensive regex path. The associated EPSS score has remained essentially flat near 0.1 since disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0065
Vulnerability details
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.