CVE-2025-14550
Django has Inefficient Algorithmic Complexity
7.5
HIGH
CVSS 3.1
EPSS 0.06%
Description
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.
How to fix CVE-2025-14550
To remediate CVE-2025-14550, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.28 or later
- —upgrade to 3:3.2.25-0+deb12u2 or later
- —upgrade to 6.0.2 or later
- —upgrade to 4.2.28 or later
Is CVE-2025-14550 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 4.2.0, < 4.2.28, >= 5.2.0, < 5.2.11, >= 6.0.0, < 6.0.2
- from 0, < 3:3.2.25-0+deb12u2
- >= 6.0a1, < 6.0.2
- >= 4.2, < 4.2.28, >= 5.2, < 5.2.11, >= 6.0, < 6.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |