CVE-2025-26699 - Potential Denial-of-Service Attack on Django 5.1, 5., and 4.2 due to Usage of Wrap Method and Wordwrap Template Filter with Long Strings

A vulnerability with the identifier CVE-2025-26699 has been discovered in Django, affecting versions 5.1 before 5.1.7, 5. before 5..13, and 4.2 before 4.2.20. This vulnerability involves a potential denial-of-service (DoS) attack caused by the django.utils.text.wrap() method and wordwrap template filter when they are used with very long strings. This post will provide an overview of the issue, a code snippet to demonstrate the vulnerability, links to original references, and exploit details.

Issue Description

The vulnerability is present in Django's wrap() method, which is used for text formatting, as well as in the wordwrap template filter, which allows you to control the line length of output text. When given an extremely long string as input, these two functions can cause the application to become unresponsive, potentially leading to a DoS attack.

Here's a simple example illustrating the issue

from django.utils.text import wrap

# An extremely long string
long_string = "A" * 100000

# Vulnerable usage of wrap() method
wrapped_text = wrap(long_string, width=80)

print(wrapped_text)

In this code snippet, the wrap() method is called with a string containing 1 million "A" characters. As a result, the processing time required for wrapping the text grows significantly and can cause the application to hang or become unresponsive.

The following references provide more information about the vulnerability

1. Django Security Advisory
2. CVE-2025-26699
3. Django GitHub Commit

Exploit Details

An attacker can exploit this vulnerability by providing a very long string to an input field connected to the vulnerable wrap() method or wordwrap template filter. This could create a DoS situation and cause the application to hang or become unresponsive. In some cases, this may result in resource exhaustion, further magnifying the impact on the affected system.

Mitigations

Users are advised to upgrade their Django installations to the latest versions, which include fixes for this vulnerability:

Django 4.2.20

Additionally, developers should take precautions when using the wrap() method or the wordwrap template filter, ensuring they do not process extremely long strings without proper validation and limiting inputs as needed.

Conclusion

In summary, a potential DoS vulnerability has been discovered in Django, related to the wrap() method and wordwrap template filter when used with very long strings. By upgrading to the latest Django versions and taking precautions while using these functions, users can mitigate this vulnerability and protect their applications against potential attacks.

Timeline

Published on: 03/06/2025 19:15:27 UTC
Last modified on: 03/19/2025 20:15:19 UTC