CVE-2025-26699
Published: 06 March 2025
Summary
CVE-2025-26699 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Djangoproject Django. Its CVSS base score is 5.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26699 affects the django.utils.text.wrap() method and the wordwrap template filter in Django versions 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The flaw stems from unbounded processing of extremely long input strings, which can trigger excessive resource allocation and is tracked under CWE-770.
An authenticated attacker with network access can supply crafted long strings to any code path that invokes the vulnerable wrap function or template filter, resulting in a denial-of-service condition that degrades availability for the affected Django application. The CVSS 5.0 score reflects low attack complexity and the requirement for low privileges, with impact limited to availability.
Official advisories from the Django project and downstream distributions such as Debian recommend immediate upgrade to the fixed releases 5.1.7, 5.0.13, or 4.2.20; the security announcements also direct administrators to the project’s release notes for patch verification and backport guidance.
EPSS for the CVE rose from a baseline near 0.0029 to a peak of 0.0160 in January 2026 before receding, indicating a measurable increase in observed exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6773
Vulnerability details
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a resource exhaustion DoS triggered by supplying long strings to Django's wrap() method/template filter, directly enabling exploitation of an application vulnerability to cause unresponsiveness (T1499.004 Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific flaw in Django's wrap() and wordwrap functions by applying vendor patches (5.1.7, 5.0.13, 4.2.20) directly prevents exploitation of CVE-2025-26699.
Denial-of-service protections such as rate limiting, traffic shaping, and resource throttling directly mitigate resource exhaustion from processing very long strings in Django.
Restricting the quantity of information inputs, such as maximum string lengths, prevents attackers from supplying excessively long strings that trigger resource allocation without limits.