CVE-2025-13473
python-django - security update
5.3
MEDIUM
CVSS 3.1
EPSS 0.04%
Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
How to fix CVE-2025-13473
To remediate CVE-2025-13473, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.28 or later
- —upgrade to 2:2.2.28-1~deb11u12 or later
- —upgrade to 2:2.2.28-1~deb11u12 or later
- —upgrade to 3:3.2.25-0+deb12u2 or later
- —upgrade to 6.0.2 or later
- —upgrade to 4.2.28 or later
Is CVE-2025-13473 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 4.2.0, < 4.2.28, >= 5.2.0, < 5.2.11, >= 6.0.0, < 6.0.2
- from 0, < 2:2.2.28-1~deb11u12
- from 0, < 2:2.2.28-1~deb11u12
- from 0, < 3:3.2.25-0+deb12u2
- >= 6.0a1, < 6.0.2
- >= 4.2, < 4.2.28, >= 5.2, < 5.2.11, >= 6.0, < 6.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |