CVE CyberSecurity Database News

CVE-2025-26699 - Django wrap() and wordwrap Filter Vulnerability Can Trigger DoS Attacks

Poster -

A new security issue, CVE-2025-26699, was recently found in the Django web framework. This vulnerability affects all Django versions before 5.1.7, 5..13, and 4.2.20. If you use the django.utils.text.wrap() method or the wordwrap template filter in your code or templates, you’re potentially open to a Denial of Service (DoS) attack. This article will explain what’s wrong, show code samples, demonstrate how the attack works, and offer advice on how to safeguard your Django project.

What is CVE-2025-26699?

In affected Django versions, both the django.utils.text.wrap() method and the wordwrap template filter do not adequately limit processing on very long, unbroken input strings. This can allow attackers to send massive, purposely malformed strings that tie up your server’s CPU and memory, making your app slow or totally unavailable until restarted.

The vulnerability is tracked as CVE-2025-26699.

1. In Python code

from django.utils.text import wrap

# Imagine the attacker submits this through a form or API
dangerous_long_string = "A" * (10**7)  # 10 million characters, no spaces

# You call wrap() to prettify it for display or emails
wrapped = wrap(dangerous_long_string, width=80)

# This call can hang for a long time or consume excessive memory!

Suppose your template has

{{ user_input|wordwrap:80 }}

And someone submits a long, unbroken string via a form

AAAAAAAAAAAAAAA...(10 million)...

When rendering, Django tries to wrap this monster string, chewing up server resources and possibly blocking other requests.

Find an input field (e.g., message boards, comments, user profile text).

2. Paste in a huge string, like A repeated tens of millions of times, with no spaces, and submit it.

Server tries to format it, e.g., via wordwrap.

4. Server gets bogged down. Other requests slow, memory/cpu spike, server may crash or need a restart.

For example, a simple POST request with a massive input

curl -X POST https://yourapp.com/comments/new/ \
  -d "comment=$(python -c 'print("A"*10000000)')" \
  --header "Content-Type: application/x-www-form-urlencoded"

If the comment is rendered with wordwrap, this could tie up your worker process for minutes or even hours, depending on input length and hardware.

Why Does This Happen?

Both wrap() and wordwrap try to break up long lines. But if the input is a single, giant word (like "A"*10000000), their internal logic can become extremely slow or inefficient, since:

Processing is not bounded, leading to resource exhaustion.

Official Django docs state (wordwrap filter):

> "For very long strings without whitespace, this operation can be slow or memory-intensive."

But until now, the core Django functions didn't enforce any strict limits.

Accepting untrusted user input for display, email, or processing

If you filter or limit input, or you don’t use these features, you’re safer. Still, many projects are impacted.

4.2.20

Read the Django Security Advisory:
https://www.djangoproject.com/weblog/2024/jun/04/security-releases/

The official changelog (see wrap() and wordwrap improvements):
- Django 5.1.7 changelog
- Django 5..13 changelog
- Django 4.2.20 changelog

Update your Django version as soon as possible

pip install --upgrade django

Make sure your requirements.txt or pyproject.toml specifies a safe version

django>=5.1.7

Even with a fixed Django, always limit user input sizes

- Use MaxLengthValidator on models/forms
- Set max POST sizes in your web server/app config

Example for a model

from django.db import models

class Comment(models.Model):
    content = models.TextField(max_length=100)  # don't allow huge comments!

4. Monitor logs and resources

Be on the lookout for abnormal spikes in CPU/memory or suspiciously long requests.

Conclusion

CVE-2025-26699 is an example of how even “small” utility or template features can introduce big security headaches. If you maintain any Django app, update today—and audit all processing of large user-supplied texts.

Upgrading Django right away

- Limiting/filtering user input everywhere you can

For more details and updates, check these references

- Django Official Security Advisory
- CVE-2025-26699 on NVD
- Relevant Stack Overflow QA

Timeline

Published on: 03/06/2025 19:15:27 UTC
Last modified on: 03/19/2025 20:15:19 UTC