CVE-2025-14550
Published: 03 February 2026
Summary
CVE-2025-14550 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Djangoproject Django. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Addresses inefficient algorithms whose complexity can be exploited for DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables Endpoint DoS via direct exploitation of inefficient header processing in a public-facing ASGI web application.
NVD Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x,…
more
4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.
Deeper analysisAI
CVE-2025-14550 is a denial-of-service vulnerability in Django's ASGIRequest component, affecting versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. A remote attacker can exploit this by sending a crafted HTTP request containing multiple duplicate headers, potentially leading to resource exhaustion. Earlier unsupported Django series, such as 5.0.x, 4.1.x, and 3.2.x, were not evaluated but may also be vulnerable. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407 (Inefficient Algorithmic Complexity).
Any unauthenticated remote attacker with network access to a vulnerable Django ASGI application can exploit this flaw without user interaction. By crafting and sending an HTTP request with numerous duplicate headers, the attacker triggers excessive processing in ASGIRequest, resulting in high availability impact through potential server resource exhaustion or crashes.
Django's security advisories recommend upgrading to patched versions: 6.0.2, 5.2.11, or 4.2.28. Details are available in the official security release notes at https://docs.djangoproject.com/en/dev/releases/security/, the django-announce mailing list at https://groups.google.com/g/django-announce, and the security release announcement at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/. The issue was responsibly reported by Jiyong Yang.
Details
- CWE(s)