CVE-2025-64460

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-64460
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64460.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-64460
Aliases
Downstream
Related
Published
2025-12-02T16:15:56.013Z
Modified
2025-12-12T02:55:56.749679Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xml_serializer.getInnerText() allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML Deserializer. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type
GIT
Repo
https://github.com/django/django
Events
Introduced
879e5d587b84e6fc961829611999431778eb9f6a
Fixed
5948e6657f8cb6aeaab1a5a45640d089230f461a

Affected versions

4.*

4.2
4.2.1
4.2.10
4.2.11
4.2.12
4.2.13
4.2.14
4.2.15
4.2.16
4.2.17
4.2.18
4.2.19
4.2.2
4.2.20
4.2.21
4.2.22
4.2.23
4.2.24
4.2.25
4.2.26
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64460.json"