Cyber Resilience

CVE-2024-39614

High

Published: 10 July 2024

Published
10 July 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0684 91.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39614 is a high-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-39614 affects the get_supported_language_variant() function in Django versions 5.0 before 5.0.7 and 4.2 before 4.2.14. The flaw, assigned CWE-130, allows a denial-of-service condition when the function processes very long input strings containing specific characters, resulting in a CVSS 7.5 rating driven entirely by high availability impact over the network without authentication.

An unauthenticated remote attacker can supply a crafted, excessively long language-variant string to any Django application code path that invokes this function, triggering excessive resource consumption and service disruption. No privileges or user interaction are required, making the attack surface broad for any exposed Django deployment that uses internationalization features.

Official Django security advisories and release notes direct users to upgrade immediately to 5.0.7 or 4.2.14, which contain the fix; the project’s announcement channels and documentation pages provide the corresponding patch details and upgrade guidance.

EPSS scores have remained low and essentially flat near 0.07, with no indication of emerging exploitation interest.

EU & UK References

Vulnerability details

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

djangoproject
django
4.2 — 4.2.14 · 5.0 — 5.0.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References