GHSA-vrcr-9hj9-jcg6

Source

https://github.com/advisories/GHSA-vrcr-9hj9-jcg6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-vrcr-9hj9-jcg6/GHSA-vrcr-9hj9-jcg6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-vrcr-9hj9-jcg6

Aliases

CVE-2025-64460

Downstream

MINI-r6r3-3x7c-jjww

Related

CGA-vf5h-pr3q-cw8w

Published

2025-12-02T18:30:35Z

Modified

2025-12-03T17:27:59.747396Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Django is vulnerable to DoS via XML serializer text extraction

Details

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xml_serializer.getInnerText() allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML Deserializer. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2025-12-02T16:15:56Z",
    "github_reviewed_at": "2025-12-03T16:59:02Z",
    "cwe_ids": [
        "CWE-407"
    ]
}

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2a1

Fixed

5.2.9

Affected versions

5.*

5.2a1

5.2b1

5.2rc1

5.2

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1a1

Fixed

5.1.15

Affected versions

5.*

5.1a1

5.1b1

5.1rc1

5.1

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.1.11

5.1.12

5.1.13

5.1.14

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2a1

Fixed

4.2.27

Affected versions

4.*

4.2a1

4.2b1

4.2rc1

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.15

4.2.16

4.2.17

4.2.18

4.2.19

4.2.20

4.2.21

4.2.22

4.2.23

4.2.24

4.2.25

4.2.26