High severityNVD Advisory· Published Mar 3, 2026· Updated Mar 3, 2026
Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows
CVE-2026-25673
Description
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. URLField.to_python() in Django calls urllib.parse.urlsplit(), which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 6.0, < 6.0.3 | 6.0.3 |
DjangoPyPI | >= 5.2, < 5.2.12 | 5.2.12 |
DjangoPyPI | >= 4.2, < 4.2.29 | 4.2.29 |
Affected products
1- Range: 6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- docs.djangoproject.com/en/dev/releases/security/mitrevendor-advisory
- github.com/advisories/GHSA-8p8v-wh79-9r56ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25673ghsaADVISORY
- www.djangoproject.com/weblog/2026/mar/03/security-releases/mitrevendor-advisory
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- groups.google.com/g/django-announceghsamailing-listWEB
- www.djangoproject.com/weblog/2026/mar/03/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.