Cyber Resilience

CVE-2023-36053

High

Published: 03 July 2023

Published
03 July 2023
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0959 93.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36053 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-36053 affects Django versions 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3. The flaw resides in the EmailValidator and URLValidator classes, which rely on regular expressions that can be forced into catastrophic backtracking when presented with input containing an extremely large number of domain-name labels.

An unauthenticated remote attacker can supply a maliciously crafted email address or URL containing thousands of labels in the domain portion. Because the vulnerable validators perform no length or complexity checks before matching, processing such input consumes excessive CPU time and can render the validating application unresponsive, achieving a denial-of-service condition without any authentication or user interaction.

Official Django security advisories and downstream distribution notices direct users to upgrade immediately to 3.2.20, 4.1.10, or 4.2.3 or later; these releases contain revised validators that limit label count and avoid the expensive regex path. The associated EPSS score has remained essentially flat near 0.1 since disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

djangoproject
django
3.2 — 3.2.20 · 4.0 — 4.1.10 · 4.2 — 4.2.3
debian
debian linux
10.0, 11.0, 12.0
fedoraproject
fedora
37, 38

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References