CVE-2026-25673

Description

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of service via large URL inputs containing these characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

How to fix CVE-2026-25673

To remediate CVE-2026-25673, upgrade the affected package to a fixed version below.

• —upgrade to 4.2.29 or later
• —upgrade to 6.0.3 or later

Is CVE-2026-25673 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 4.2.0, < 4.2.29, >= 5.2.0, < 5.2.12, >= 6.0.0, < 6.0.3
• >= 6.0, < 6.0.3

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-25673
• PATCHgithub.com/django/django
• WEBdocs.djangoproject.com/en/dev/releases/security
• WEBdocs.djangoproject.com/en/dev/releases/security/
• WEBgroups.google.com