Cyber Resilience

CVE-2025-26699

Medium

Published: 06 March 2025

Published
06 March 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
EPSS Score 0.0029 52.5th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26699 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Djangoproject Django. Its CVSS base score is 5.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26699 affects the django.utils.text.wrap() method and the wordwrap template filter in Django versions 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The flaw stems from unbounded processing of extremely long input strings, which can trigger excessive resource allocation and is tracked under CWE-770.

An authenticated attacker with network access can supply crafted long strings to any code path that invokes the vulnerable wrap function or template filter, resulting in a denial-of-service condition that degrades availability for the affected Django application. The CVSS 5.0 score reflects low attack complexity and the requirement for low privileges, with impact limited to availability.

Official advisories from the Django project and downstream distributions such as Debian recommend immediate upgrade to the fixed releases 5.1.7, 5.0.13, or 4.2.20; the security announcements also direct administrators to the project’s release notes for patch verification and backport guidance.

EPSS for the CVE rose from a baseline near 0.0029 to a peak of 0.0160 in January 2026 before receding, indicating a measurable increase in observed exploitation interest after public disclosure.

EU & UK References

Vulnerability details

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a resource exhaustion DoS triggered by supplying long strings to Django's wrap() method/template filter, directly enabling exploitation of an application vulnerability to cause unresponsiveness (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56374Same product: Debian Debian Linux
CVE-2026-25673Same product: Djangoproject Django
CVE-2026-33034Same product: Djangoproject Django
CVE-2026-23490Same product: Debian Debian Linux
CVE-2025-14550Same product: Djangoproject Django
CVE-2026-1285Same product: Djangoproject Django
CVE-2025-62599Same product: Debian Debian Linux
CVE-2025-25475Same product: Debian Debian Linux
CVE-2025-62600Same product: Debian Debian Linux
CVE-2024-58054Same product: Debian Debian Linux

Affected Assets

djangoproject
django
4.2 — 4.2.20 · 5.0 — 5.0.13 · 5.1 — 5.1.7
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in Django's wrap() and wordwrap functions by applying vendor patches (5.1.7, 5.0.13, 4.2.20) directly prevents exploitation of CVE-2025-26699.

prevent

Denial-of-service protections such as rate limiting, traffic shaping, and resource throttling directly mitigate resource exhaustion from processing very long strings in Django.

prevent

Restricting the quantity of information inputs, such as maximum string lengths, prevents attackers from supplying excessively long strings that trigger resource allocation without limits.

References