High severityNVD Advisory· Published Jul 31, 2012· Updated Apr 29, 2026

CVE-2012-3443

Description

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
DjangoPyPI	< 1.3.2	1.3.2
DjangoPyPI	>= 1.4, < 1.4.1	1.4.1

Affected products

Djangoproject/Django29 versions
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*+ 28 more
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: <=1.3
- cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0:beta:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1:alpha1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2-alpha1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*

Patches

da33d67181b5

[1.4.x] Fixed a security issue in image uploading. Disclosure and release forthcoming.

https://github.com/django/djangoFlorian ApollonerJul 30, 2012via ghsa

commit

1 file changed · +6 −1

django/core/files/images.py+6 −1 modified

@@ -47,13 +47,18 @@ def get_image_dimensions(file_or_path, close=False):
         file = open(file_or_path, 'rb')
         close = True
     try:
+        # Most of the time PIL only needs a small chunk to parse the image and
+        # get the dimensions, but with some TIFF files PIL needs to parse the
+        # whole file.
+        chunk_size = 1024
         while 1:
-            data = file.read(1024)
+            data = file.read(chunk_size)
             if not data:
                 break
             p.feed(data)
             if p.image:
                 return p.image.size
+            chunk_size = chunk_size*2
         return None
     finally:
         if close:

9ca0ff6268ee

[1.3.x] Fixed a security issue in image uploading. Disclosure and release forthcoming.

https://github.com/django/djangoFlorian ApollonerJul 30, 2012via ghsa

commit

1 file changed · +6 −1

django/core/files/images.py+6 −1 modified

@@ -47,13 +47,18 @@ def get_image_dimensions(file_or_path, close=False):
         file = open(file_or_path, 'rb')
         close = True
     try:
+        # Most of the time PIL only needs a small chunk to parse the image and
+        # get the dimensions, but with some TIFF files PIL needs to parse the
+        # whole file.
+        chunk_size = 1024
         while 1:
-            data = file.read(1024)
+            data = file.read(chunk_size)
             if not data:
                 break
             p.feed(data)
             if p.image:
                 return p.image.size
+            chunk_size = chunk_size*2
         return None
     finally:
         if close:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/nvdPatchVendor Advisory
github.com/advisories/GHSA-59w8-4wm2-4xw8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2012-3443ghsaADVISORY
www.debian.org/security/2012/dsa-2529nvdWEB
www.mandriva.com/security/advisoriesnvdWEB
www.openwall.com/lists/oss-security/2012/07/31/1nvdWEB
www.openwall.com/lists/oss-security/2012/07/31/2nvdWEB
www.ubuntu.com/usn/USN-1560-1nvdWEB
github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155ghsaWEB
github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2012-3.yamlghsaWEB
www.debian.org/security/2012/dsa-2529ghsaWEB
www.djangoproject.com/weblog/2012/jul/30/security-releases-issuedghsaWEB
www.mandriva.com/security/advisoriesghsaWEB
www.openwall.com/lists/oss-security/2012/07/31/1ghsaWEB
www.openwall.com/lists/oss-security/2012/07/31/2ghsaWEB
www.ubuntu.com/usn/USN-1560-1ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000