Description
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
References (9)
Core 9
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5254
Patch, Third Party Advisory
https://docs.djangoproject.com/en/4.0/releases/security/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220221-0003/
Patch, Third Party Advisory
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
Scores
CVSS v3
7.5
EPSS
0.0359
EPSS Percentile
87.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-835
Status
published
Products (5)
debian/debian_linux
11.0
djangoproject/django
2.2 - 2.2.27
fedoraproject/fedora
34
fedoraproject/fedora
35
pypi/Django
2.2 - 2.2.27PyPI
Published
Feb 03, 2022
Tracked Since
Feb 18, 2026