CVE-2025-14550

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. ASGIRequest allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/14xxx/CVE-2025-14550.json",
    "cna_assigner": "DSF",
    "cwe_ids": [
        "CWE-407"
    ]
}

References

Affected packages

Git / github.com/django/asgiref

Affected ranges

Type

GIT

Repo

https://github.com/django/asgiref

Events

Introduced

Fixed

d97a7339524c89798c510de6c142b663fe40400c

Database specific

{
    "extracted_events": [
        {
            "introduced": "3"
        },
        {
            "fixed": "3.11.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*

0.10.0

0.11.1

0.11.2

0.12.0

0.12.1

0.13.0

0.13.1

0.13.2

0.13.3

0.14.0

0.8

0.9

0.9.1

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.3.0

2.3.1

2.3.2

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.10.0

3.11.0

3.2.0

3.2.1

3.2.10

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.4.1

3.5.0

3.5.1

3.5.2

3.6.0

3.7.0

3.7.2

3.8.0

3.8.1

3.9.0

3.9.1

3.9.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14550.json"

Git / github.com/django/django

Affected ranges

Type: GIT
Repo: https://github.com/django/django
Events: Introduced

97aa3b7f08f51669e118f3af5ca91026e39664c3

Fixed

20c71f6b91324cf401056c72136c14e0ec2bf7bf

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-14550.json"