High severityNVD Advisory· Published Oct 13, 2009· Updated Apr 23, 2026
CVE-2009-3695
CVE-2009-3695
Description
Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.0, < 1.0.4 | 1.0.4 |
DjangoPyPI | >= 1.1, < 1.1.1 | 1.1.1 |
Affected products
2cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*
Patches
2594a28a90441SECURITY ALERT: Corrected regular expressions for URL and email fields.
2 files changed · +35 −2
django/forms/fields.py+2 −2 modified@@ -421,7 +421,7 @@ def clean(self, value): email_re = re.compile( r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*" # dot-atom r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-011\013\014\016-\177])*"' # quoted-string - r')@(?:[A-Z0-9]+(?:-*[A-Z0-9]+)*\.)+[A-Z]{2,6}$', re.IGNORECASE) # domain + r')@(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?$', re.IGNORECASE) # domain class EmailField(RegexField): default_error_messages = { @@ -532,7 +532,7 @@ def clean(self, data, initial=None): url_re = re.compile( r'^https?://' # http:// or https:// - r'(?:(?:[A-Z0-9]+(?:-*[A-Z0-9]+)*\.)+[A-Z]{2,6}|' #domain... + r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' #domain... r'localhost|' #localhost... r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip r'(?::\d+)?' # optional port
tests/regressiontests/forms/fields.py+33 −0 modified@@ -767,6 +767,13 @@ >>> f.clean('example@valid-with-hyphens.com') u'example@valid-with-hyphens.com' +# Check for runaway regex security problem. This will take for-freeking-ever +# if the security fix isn't in place. +>>> f.clean('viewx3dtextx26qx3d@yahoo.comx26latlngx3d15854521645943074058') +Traceback (most recent call last): + ... +ValidationError: [u'Enter a valid e-mail address.'] + >>> f = EmailField(required=False) >>> f.clean('') u'' @@ -972,6 +979,32 @@ Traceback (most recent call last): ... ValidationError: [u'Enter a valid URL.'] +>>> f.clean('.') +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] +>>> f.clean('com.') +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] +>>> f.clean('http://example.com.') +u'http://example.com./' +>>> f.clean('example.com.') +u'http://example.com./' + +# hangs "forever" if catastrophic backtracking in ticket:#11198 not fixed +>>> f.clean('http://%s' % ("X"*200,)) +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] + +# a second test, to make sure the problem is really addressed, even on +# domains that don't fail the domain label length check in the regex +>>> f.clean('http://%s' % ("X"*60,)) +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] + >>> f.clean('http://.com') Traceback (most recent call last): ...
e3e992e18b36[1.1.X] SECURITY ALERT: Corrected regular expressions for URL and email fields.
2 files changed · +35 −2
django/forms/fields.py+2 −2 modified@@ -421,7 +421,7 @@ def clean(self, value): email_re = re.compile( r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*" # dot-atom r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-011\013\014\016-\177])*"' # quoted-string - r')@(?:[A-Z0-9]+(?:-*[A-Z0-9]+)*\.)+[A-Z]{2,6}$', re.IGNORECASE) # domain + r')@(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?$', re.IGNORECASE) # domain class EmailField(RegexField): default_error_messages = { @@ -532,7 +532,7 @@ def clean(self, data, initial=None): url_re = re.compile( r'^https?://' # http:// or https:// - r'(?:(?:[A-Z0-9]+(?:-*[A-Z0-9]+)*\.)+[A-Z]{2,6}|' #domain... + r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+[A-Z]{2,6}\.?|' #domain... r'localhost|' #localhost... r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip r'(?::\d+)?' # optional port
tests/regressiontests/forms/fields.py+33 −0 modified@@ -767,6 +767,13 @@ >>> f.clean('example@valid-with-hyphens.com') u'example@valid-with-hyphens.com' +# Check for runaway regex security problem. This will take for-freeking-ever +# if the security fix isn't in place. +>>> f.clean('viewx3dtextx26qx3d@yahoo.comx26latlngx3d15854521645943074058') +Traceback (most recent call last): + ... +ValidationError: [u'Enter a valid e-mail address.'] + >>> f = EmailField(required=False) >>> f.clean('') u'' @@ -972,6 +979,32 @@ Traceback (most recent call last): ... ValidationError: [u'Enter a valid URL.'] +>>> f.clean('.') +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] +>>> f.clean('com.') +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] +>>> f.clean('http://example.com.') +u'http://example.com./' +>>> f.clean('example.com.') +u'http://example.com./' + +# hangs "forever" if catastrophic backtracking in ticket:#11198 not fixed +>>> f.clean('http://%s' % ("X"*200,)) +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] + +# a second test, to make sure the problem is really addressed, even on +# domains that don't fail the domain label length check in the regex +>>> f.clean('http://%s' % ("X"*60,)) +Traceback (most recent call last): +... +ValidationError: [u'Enter a valid URL.'] + >>> f.clean('http://.com') Traceback (most recent call last): ...
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- www.djangoproject.com/weblog/2009/oct/09/security/nvdPatchVendor Advisory
- www.securityfocus.com/bid/36655nvdPatch
- www.vupen.com/english/advisories/2009/2871nvdPatchVendor Advisory
- secunia.com/advisories/36948nvdVendor Advisory
- secunia.com/advisories/36968nvdVendor Advisory
- github.com/advisories/GHSA-p6m5-h7pp-v2x5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2009-3695ghsaADVISORY
- bugs.debian.org/cgi-bin/bugreport.cginvdWEB
- groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51ghsaWEB
- www.debian.org/security/2009/dsa-1905nvdWEB
- www.djangoproject.com/weblog/2009/oct/09/securityghsaWEB
- www.openwall.com/lists/oss-security/2009/10/13/6nvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/53727nvdWEB
- github.com/django/django/commit/594a28a9044120bed58671dde8a805c9e0f6c79aghsaWEB
- github.com/django/django/commit/e3e992e18b368fcd56aabafc1b5bf80a6e11b495ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2009-4.yamlghsaWEB
- web.archive.org/web/20091013093057/http://secunia.com/advisories/36968ghsaWEB
- web.archive.org/web/20091017070244/http://secunia.com/advisories/36948ghsaWEB
- web.archive.org/web/20200228171918/http://www.securityfocus.com/bid/36655ghsaWEB
- groups.google.com/group/django-users/browse_thread/thread/15df9e45118dfc51/nvd
News mentions
0No linked articles in our index yet.