BIT-django-2026-33034

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/django/BIT-django-2026-33034.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-django-2026-33034

Aliases

Published

2026-04-16T23:38:46.634Z

Modified

2026-05-20T08:11:14.681120318Z

Summary

Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass

Details

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

Database specific

{
    "cpes": [
        "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / django

Package

Name: django
Purl: pkg:bitnami/django

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

4.2.0

Fixed

4.2.30

Introduced

5.2.0

Fixed

5.2.13

Introduced

6.0.0

Fixed

6.0.4

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/django/BIT-django-2026-33034.json"