CVE-2024-56374
Published: 14 January 2025
Summary
CVE-2024-56374 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Djangoproject Django. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates validation of information inputs including bounds checking on IPv6 address strings to prevent resource exhaustion from excessively long inputs in Django's validation functions.
Implements denial-of-service protections such as resource limits and throttling to mitigate excessive consumption triggered by crafted IPv6 strings in vulnerable Django components.
Restricts quantities of inputs to Django form fields and validation functions, directly countering unbounded string lengths that lead to DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote resource exhaustion DoS via crafted input to public-facing Django validation/form fields, directly mapping to application exploitation for endpoint DoS.
NVD Description
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions…
more
clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)
Deeper analysisAI
CVE-2024-56374 is a denial-of-service vulnerability in Django web framework versions 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. It stems from a lack of upper-bound limit enforcement on strings passed during IPv6 validation, which can lead to excessive resource consumption. The affected components include the undocumented private functions clean_ipv6_address and is_valid_ipv6_address, as well as the django.forms.GenericIPAddressField form field; the django.db.models.GenericIPAddressField model field is explicitly not vulnerable. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting specially crafted IPv6 address strings to vulnerable validation functions or form fields, attackers can trigger resource exhaustion, resulting in a denial-of-service condition on the affected Django application. The changed scope (S:C) indicates potential impact beyond the vulnerable component itself.
Django security advisories recommend upgrading to patched versions—5.1.5, 5.0.11, or 4.2.18—to mitigate the issue, as detailed in the official release notes and announcements. Additional notifications appear in Django's announce group, security weblog, oss-security mailing list, and Debian LTS updates.
Details
- CWE(s)