CVE-2025-64458

CVE-2025-64458: Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

Vendor Djangoproject
Product Django
Weakness CWE-407
Published November 5, 2025
Last update November 5, 2025

CVSS base score

What the vulnerability does

01Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Key dates

02Disclosure timeline

November 5, 2025 CVE published
November 5, 2025 Record updated

Related vulnerabilities

04Related CVE