Cyber Resilience

CVE-2025-14550

HighDDoS

Published: 03 February 2026

Published
03 February 2026
Modified
04 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 22.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14550 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-14550 is a denial-of-service vulnerability in Django's ASGIRequest component, affecting versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. A remote attacker can exploit this by sending a crafted HTTP request containing multiple duplicate headers, potentially leading to resource exhaustion. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407 (Inefficient Algorithmic Complexity).

Any unauthenticated remote attacker with network access to a vulnerable Django ASGI application can exploit this flaw without user interaction. By crafting and sending an HTTP request with numerous duplicate headers, the attacker triggers excessive processing in ASGIRequest, resulting in high availability impact through potential server resource exhaustion or crashes.

Django's security advisories recommend upgrading to patched versions: 6.0.2, 5.2.11, or 4.2.28. Details are available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce mailing list at https://groups.google.com/g/django-announce, and the security release announcement at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was responsibly reported by Jiyong Yang.

EU & UK References

Vulnerability details

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x,…

more

4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables Endpoint DoS via direct exploitation of inefficient header processing in a public-facing ASGI web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1285Same product: Djangoproject Django
CVE-2026-25673Same product: Djangoproject Django
CVE-2026-33034Same product: Djangoproject Django
CVE-2026-4277Same product: Djangoproject Django
CVE-2026-3902Same product: Djangoproject Django
CVE-2025-64459Same product: Djangoproject Django
CVE-2026-1207Same product: Djangoproject Django
CVE-2024-56374Same product: Djangoproject Django
CVE-2025-26699Same product: Djangoproject Django
CVE-2026-34573Shared CWE-407

Affected Assets

djangoproject
django
4.2 — 4.2.28 · 5.2 — 5.2.11 · 6.0 — 6.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in Django's ASGIRequest component causing resource exhaustion from multiple duplicate headers by requiring timely application of vendor patches.

prevent

Protects against denial-of-service attacks, including resource exhaustion from crafted HTTP requests with excessive duplicate headers.

prevent

Validates information inputs such as HTTP request headers to detect and reject crafted requests with multiple duplicate headers that trigger inefficient processing.

References