Overview
CVE-2025-64460 describes a potential denial-of-service (DoS) vulnerability affecting Django versions 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. This issue arises from algorithmic complexity within the django.core.serializers.xml_serializer.getInnerText() function. A remote attacker can exploit this vulnerability by sending specially crafted XML input to the Django XML Deserializer, leading to excessive CPU and memory consumption, effectively causing a denial-of-service.
It is important to note that older, unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) were not explicitly evaluated but may also be susceptible to this vulnerability. Therefore, users of these older versions are strongly advised to consider upgrading or applying suitable mitigations.
Technical Details
The vulnerability resides within the getInnerText() function of the XML serializer in Django. This function is responsible for extracting text content from XML nodes. The vulnerability stems from the inefficient algorithmic complexity of this function when processing deeply nested or excessively large XML structures. An attacker can leverage this by crafting malicious XML input that triggers exponential growth in processing time and memory usage, ultimately exhausting server resources.
The core of the problem is the way getInnerText() handles deeply nested XML structures. The processing time increases significantly with each level of nesting, making the application vulnerable to CPU and memory exhaustion with relatively small, yet maliciously structured, XML documents.
CVSS Analysis
Currently, the CVE entry does not have a CVSS score assigned (N/A). However, given the potential for a denial-of-service, it is likely to be classified as a high severity vulnerability. The lack of authentication required for exploitation and the potential for significant impact on availability suggest a score in the range of 7.5 – 9.0. Awaiting official CVSS score from NVD.
Possible Impact
Successful exploitation of CVE-2025-64460 can result in a denial-of-service, rendering the affected Django application unavailable to legitimate users. This can lead to:
- Service disruption: The application becomes unresponsive, preventing users from accessing critical services.
- Data loss (indirect): In extreme cases, server instability caused by memory exhaustion can lead to data corruption or loss.
- Reputational damage: Prolonged service outages can damage the organization’s reputation and erode customer trust.
Mitigation and Patch Steps
The recommended mitigation is to upgrade your Django installation to the patched versions:
- Upgrade to Django 5.2.9 or later.
- Upgrade to Django 5.1.15 or later.
- Upgrade to Django 4.2.27 or later.
You can upgrade Django using pip:
pip install django==5.2.9 # Or the latest patched versionpip install django==5.1.15 # Or the latest patched versionpip install django==4.2.27 # Or the latest patched versionIf upgrading is not immediately feasible, consider the following temporary mitigations:
- Input validation: Implement strict validation of XML input to limit the size and complexity of processed documents.
- Rate limiting: Implement rate limiting to restrict the number of requests from a single source, mitigating the impact of malicious attacks.
- Web Application Firewall (WAF): Employ a WAF to detect and block potentially malicious XML payloads. Configure the WAF with rules to identify and reject excessively nested XML structures.
References
Django Security Releases
Django Announcement Group
Django Security Releases Weblog
