High severityNVD Advisory· Published Jul 14, 2015· Updated May 6, 2026
CVE-2015-5145
CVE-2015-5145
Description
validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.8a1, < 1.8.3 | 1.8.3 |
Affected products
3cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*
Patches
18f9a4d3a2bc4[1.8.x] Fixed catastrophic backtracking in URLValidator.
5 files changed · +14 −1
django/core/validators.py+1 −1 modified@@ -73,7 +73,7 @@ class URLValidator(RegexValidator): # Host patterns hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?' - domain_re = r'(?:\.[a-z' + ul + r'0-9]+(?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9]+)*)*' + domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]*(?<!-))*' tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?' host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)'
docs/releases/1.8.3.txt+7 −0 modified@@ -60,6 +60,13 @@ The undocumented, internally unused ``validate_integer()`` function is now stricter as it validates using a regular expression instead of simply casting the value using ``int()`` and checking if an exception was raised. +Denial-of-service possibility in URL validation +=============================================== + +:class:`~django.core.validators.URLValidator` included a regular expression +that was extremely slow to evaluate against certain invalid inputs. This regular +expression has been simplified and optimized. + Bugfixes ========
tests/validators/invalid_urls.txt+2 −0 modified@@ -35,6 +35,8 @@ http://foo.bar/foo(bar)baz quux http://-error-.invalid/ http://-a.b.co http://a.b-.co +http://a.-b.co +http://a.b-.c.co http:/ http:// http://
tests/validators/tests.py+3 −0 modified@@ -172,6 +172,9 @@ # Trailing newlines not accepted (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError), (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError), + # Trailing junk does not take forever to reject + (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError), + (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError), (BaseValidator(True), True, None), (BaseValidator(True), False, ValidationError),
tests/validators/valid_urls.txt+1 −0 modified@@ -7,6 +7,7 @@ http://www.example.com/ http://www.example.com:8000/test http://valid-with-hyphens.com/ http://subdomain.example.com/ +http://a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa http://200.8.9.10/ http://200.8.9.10:8000/test http://su--b.valid-----hyphens.com/
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-cqf7-ff9h-7967ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-5145ghsaADVISORY
- www.djangoproject.com/weblog/2015/jul/08/security-releases/nvdVendor Advisory
- github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.8.3.txtghsaWEB
- github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22cghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-21.yamlghsaWEB
- security.gentoo.org/glsa/201510-06nvdWEB
- web.archive.org/web/20150924150801/http://www.securitytracker.com/id/1032820ghsaWEB
- web.archive.org/web/20170526042302/http://www.securityfocus.com/bid/75691ghsaWEB
- www.djangoproject.com/weblog/2015/jul/08/security-releasesghsaWEB
- www.securityfocus.com/bid/75691nvd
- www.securitytracker.com/id/1032820nvd
News mentions
0No linked articles in our index yet.