CVE-2025-64460

Summary

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xml_serializer.getInnerText() allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML Deserializer. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Affected Software

VendorProductVersion RangeStatus
djangoprojectDjango5.2 < 5.2.9affected
djangoprojectDjango5.2.9unaffected
djangoprojectDjango5.1 < 5.1.15affected
djangoprojectDjango5.1.15unaffected
djangoprojectDjango4.2 < 4.2.27affected
djangoprojectDjango4.2.27unaffected

Weaknesses

  • CWE-407: CWE-407: Inefficient Algorithmic Complexity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References