CVE-2025-64460
HIGHDjango 4.2-4.2.26 5.1-5.1.14 5.2a1-5.2.8 - Denial of Service via XML Deserializer
Title source: llmDescription
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
References (3)
Core 3
Core References
Patch, Vendor Advisory vendor-advisory
https://docs.djangoproject.com/en/dev/releases/security/
Mailing List, Release Notes mailing-list
https://groups.google.com/g/django-announce
Patch, Vendor Advisory vendor-advisory
https://www.djangoproject.com/weblog/2025/dec/02/security-releases/
Scores
CVSS v3
7.5
EPSS
0.0211
EPSS Percentile
79.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-407
Status
published
Products (4)
djangoproject/django
4.2 - 4.2.27
pypi/Django
4.2a1 - 4.2.27PyPI
pypi/Django
5.1a1 - 5.1.15PyPI
pypi/Django
5.2a1 - 5.2.9PyPI
Published
Dec 02, 2025
Tracked Since
Feb 18, 2026