CVE-2025-64458

HIGH

Django 4.2-4.2.25, 5.1-5.1.13, 5.2-5.2.7 - Denial of Service via NFKC Unicode Normalization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-64458. PoCs published by ch4n3-yoon.

AI-analyzed exploit summary This repository contains a functional PoC demonstrating CVE-2025-64458, a DoS vulnerability in Django's redirect responses on Windows due to slow Unicode NFKC normalization. The PoC measures the performance impact of constructing redirect responses with excessively long Unicode URLs.

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Exploits (1)

github WORKING POC

by ch4n3-yoon · pythonpoc

https://github.com/ch4n3-yoon/CVE-2025-64458-Demo

View Code ZIP pw:eip

This repository contains a functional PoC demonstrating CVE-2025-64458, a DoS vulnerability in Django's redirect responses on Windows due to slow Unicode NFKC normalization. The PoC measures the performance impact of constructing redirect responses with excessively long Unicode URLs.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Django (versions before 4.2.26, 5.1.14, 5.2.8)

No auth needed

Prerequisites: Django application running on Windows · Endpoint that reflects or uses user-supplied redirect targets

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory

https://docs.djangoproject.com/en/dev/releases/security/

Mailing List mailing-list

https://groups.google.com/g/django-announce

Vendor Advisory vendor-advisory

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

Scores

CVSS v3 7.5

EPSS 0.0003

EPSS Percentile 7.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-407

Status published

Products (4)

djangoproject/django 4.2 - 4.2.26

pypi/django 0 - 4.2.26PyPI

pypi/django 5.0a1 - 5.1.14PyPI

pypi/django 5.2a1 - 5.2.8PyPI

Published Nov 05, 2025

Tracked Since Feb 18, 2026