CVE-2025-26699
Published: 06 March 2025
Summary
CVE-2025-26699 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Djangoproject Django. Its CVSS base score is 5.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 47.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in Django's wrap() and wordwrap functions by applying vendor patches (5.1.7, 5.0.13, 4.2.20) directly prevents exploitation of CVE-2025-26699.
Denial-of-service protections such as rate limiting, traffic shaping, and resource throttling directly mitigate resource exhaustion from processing very long strings in Django.
Restricting the quantity of information inputs, such as maximum string lengths, prevents attackers from supplying excessively long strings that trigger resource allocation without limits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a resource exhaustion DoS triggered by supplying long strings to Django's wrap() method/template filter, directly enabling exploitation of an application vulnerability to cause unresponsiveness (T1499.004 Application or System Exploitation).
NVD Description
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Deeper analysisAI
CVE-2025-26699 is a denial-of-service vulnerability in the Django web framework, specifically affecting the django.utils.text.wrap() method and the wordwrap template filter when processing very long strings. The issue impacts Django versions 5.1 prior to 5.1.7, 5.0 prior to 5.0.13, and 4.2 prior to 4.2.20. It stems from CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L).
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying very long strings to the affected functions, the attacker triggers excessive resource consumption, leading to a low-impact denial of service on the targeted Django application, particularly in a changed scope.
Django security advisories recommend upgrading to the patched versions: 5.1.7, 5.0.13, or 4.2.20. Official release notes and announcements detail the fix, available at docs.djangoproject.com/en/dev/releases/security/, groups.google.com/g/django-announce, and www.djangoproject.com/weblog/2025/mar/06/security-releases/, with additional notifications on oss-security and Debian LTS lists.
Details
- CWE(s)