CVE-2025-14550
Published: 03 February 2026
Summary
CVE-2025-14550 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-14550 is a denial-of-service vulnerability in Django's ASGIRequest component, affecting versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. A remote attacker can exploit this by sending a crafted HTTP request containing multiple duplicate headers, potentially leading to resource exhaustion. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407 (Inefficient Algorithmic Complexity).
Any unauthenticated remote attacker with network access to a vulnerable Django ASGI application can exploit this flaw without user interaction. By crafting and sending an HTTP request with numerous duplicate headers, the attacker triggers excessive processing in ASGIRequest, resulting in high availability impact through potential server resource exhaustion or crashes.
Django's security advisories recommend upgrading to patched versions: 6.0.2, 5.2.11, or 4.2.28. Details are available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce mailing list at https://groups.google.com/g/django-announce, and the security release announcement at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was responsibly reported by Jiyong Yang.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206739
Vulnerability details
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x,…
more
4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables Endpoint DoS via direct exploitation of inefficient header processing in a public-facing ASGI web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific flaw in Django's ASGIRequest component causing resource exhaustion from multiple duplicate headers by requiring timely application of vendor patches.
Protects against denial-of-service attacks, including resource exhaustion from crafted HTTP requests with excessive duplicate headers.
Validates information inputs such as HTTP request headers to detect and reject crafted requests with multiple duplicate headers that trigger inefficient processing.