VYPR
← All advisories
High severityNVD Advisory· Published Feb 3, 2022· Updated Aug 3, 2024

CVE-2022-23833

CVE-2022-23833

Description

An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Django multipart form parser infinite loop DoS via crafted input in versions before 2.2.27, 3.2.12, 4.0.2.

Vulnerability

CVE-2022-23833 is a denial-of-service vulnerability in Django's MultiPartParser component used for parsing multipart form data, specifically in the parse() method. The issue arises when processing file uploads: a loop in the parser that reads chunks of data can become infinite if the input contains certain malformed chunk boundaries, causing the server to hang [1][2]. Affected versions include Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted multipart HTTP POST request to a Django application that processes file uploads. No authentication is required if the upload endpoint is publicly accessible. The attacker crafts the request such that the parser enters an infinite loop while reading chunked data, leading to resource exhaustion [2].

Impact

Successful exploitation results in a denial-of-service condition where the server becomes unresponsive due to the infinite loop, consuming CPU and potentially blocking other requests. This can lead to service disruption for legitimate users [1][2].

Mitigation

The vulnerability is fixed in Django versions 2.2.27, 3.2.12, and 4.0.2, released on February 3, 2022 [1][3][4]. Users should upgrade to these or later versions immediately. As a temporary workaround, disabling file upload functionality may reduce exposure, but upgrading is recommended.

References
  1. NVD - CVE-2022-23833
  2. CVE-2022-23833 - GitHub Advisory Database
  3. [4.0.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. · django/django@f9c7d48
  4. [3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. · django/django@d161335

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
DjangoPyPI
>= 2.2, < 2.2.272.2.27
DjangoPyPI
>= 3.2, < 3.2.123.2.12
DjangoPyPI
>= 4.0, < 4.0.24.0.2

Affected products

74

Patches

3
c477b7618049

[2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

https://github.com/django/djangoMariusz FelisiakJan 21, 2022via ghsa
commit
3 files changed · +28 0
  • django/http/multipartparser.py+2 0 modified
    @@ -240,6 +240,8 @@ def parse(self):
                                 remaining = len(stripped_chunk) % 4
                                 while remaining != 0:
                                     over_chunk = field_stream.read(4 - remaining)
+                                    if not over_chunk:
+                                        break
                                     stripped_chunk += b"".join(over_chunk.split())
                                     remaining = len(stripped_chunk) % 4
  • docs/releases/2.2.27.txt+6 0 modified
    @@ -15,3 +15,9 @@ posing an XSS attack vector.
 In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
  • tests/file_uploads/tests.py+20 0 modified
    @@ -142,6 +142,26 @@ def test_big_base64_upload(self):
     def test_big_base64_newlines_upload(self):
         self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
 
+    def test_base64_invalid_upload(self):
+        payload = client.FakePayload('\r\n'.join([
+            '--' + client.BOUNDARY,
+            'Content-Disposition: form-data; name="file"; filename="test.txt"',
+            'Content-Type: application/octet-stream',
+            'Content-Transfer-Encoding: base64',
+            ''
+        ]))
+        payload.write(b'\r\n!\r\n')
+        payload.write('--' + client.BOUNDARY + '--\r\n')
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo_content/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        self.assertEqual(response.json()['file'], '')
+
     def test_unicode_file_name(self):
         with sys_tempfile.TemporaryDirectory() as temp_dir:
             # This file contains Chinese symbols and an accented char in the name.
f9c7d48fdd6f

[4.0.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

https://github.com/django/djangoMariusz FelisiakJan 21, 2022via ghsa
commit
5 files changed · +40 0
  • django/http/multipartparser.py+2 0 modified
    @@ -248,6 +248,8 @@ def parse(self):
                                 remaining = len(stripped_chunk) % 4
                                 while remaining != 0:
                                     over_chunk = field_stream.read(4 - remaining)
+                                    if not over_chunk:
+                                        break
                                     stripped_chunk += b"".join(over_chunk.split())
                                     remaining = len(stripped_chunk) % 4
  • docs/releases/2.2.27.txt+6 0 modified
    @@ -15,3 +15,9 @@ posing an XSS attack vector.
 In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
  • docs/releases/3.2.12.txt+6 0 modified
    @@ -15,3 +15,9 @@ posing an XSS attack vector.
 In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
  • docs/releases/4.0.2.txt+6 0 modified
    @@ -18,6 +18,12 @@ In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
 
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
+
 Bugfixes
 ========
  • tests/file_uploads/tests.py+20 0 modified
    @@ -139,6 +139,26 @@ def test_big_base64_upload(self):
     def test_big_base64_newlines_upload(self):
         self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
 
+    def test_base64_invalid_upload(self):
+        payload = client.FakePayload('\r\n'.join([
+            '--' + client.BOUNDARY,
+            'Content-Disposition: form-data; name="file"; filename="test.txt"',
+            'Content-Type: application/octet-stream',
+            'Content-Transfer-Encoding: base64',
+            ''
+        ]))
+        payload.write(b'\r\n!\r\n')
+        payload.write('--' + client.BOUNDARY + '--\r\n')
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo_content/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        self.assertEqual(response.json()['file'], '')
+
     def test_unicode_file_name(self):
         with sys_tempfile.TemporaryDirectory() as temp_dir:
             # This file contains Chinese symbols and an accented char in the name.
d16133568ef9

[3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads.

https://github.com/django/djangoMariusz FelisiakJan 21, 2022via ghsa
commit
4 files changed · +34 0
  • django/http/multipartparser.py+2 0 modified
    @@ -248,6 +248,8 @@ def parse(self):
                                 remaining = len(stripped_chunk) % 4
                                 while remaining != 0:
                                     over_chunk = field_stream.read(4 - remaining)
+                                    if not over_chunk:
+                                        break
                                     stripped_chunk += b"".join(over_chunk.split())
                                     remaining = len(stripped_chunk) % 4
  • docs/releases/2.2.27.txt+6 0 modified
    @@ -15,3 +15,9 @@ posing an XSS attack vector.
 In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
  • docs/releases/3.2.12.txt+6 0 modified
    @@ -15,3 +15,9 @@ posing an XSS attack vector.
 In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
 information when the ``DEBUG`` setting is ``False``, and it ensures all context
 variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
+CVE-2022-23833: Denial-of-service possibility in file uploads
+=============================================================
+
+Passing certain inputs to multipart forms could result in an infinite loop when
+parsing files.
  • tests/file_uploads/tests.py+20 0 modified
    @@ -143,6 +143,26 @@ def test_big_base64_upload(self):
     def test_big_base64_newlines_upload(self):
         self._test_base64_upload("Big data" * 68000, encode=base64.encodebytes)
 
+    def test_base64_invalid_upload(self):
+        payload = client.FakePayload('\r\n'.join([
+            '--' + client.BOUNDARY,
+            'Content-Disposition: form-data; name="file"; filename="test.txt"',
+            'Content-Type: application/octet-stream',
+            'Content-Transfer-Encoding: base64',
+            ''
+        ]))
+        payload.write(b'\r\n!\r\n')
+        payload.write('--' + client.BOUNDARY + '--\r\n')
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo_content/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        self.assertEqual(response.json()['file'], '')
+
     def test_unicode_file_name(self):
         with sys_tempfile.TemporaryDirectory() as temp_dir:
             # This file contains Chinese symbols and an accented char in the name.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

17

News mentions

0

No linked articles in our index yet.