CVE-2025-64460

216.73.217.22

· Published 02/12/2025 16:15 · Modified 10/12/2025 21:47

Labels: CVE-2025-64460 2025-12-02 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 CVE-2025-64460 CWE-407

Essential information

Published: 02/12/2025 16:15
Modified: 10/12/2025 21:47
Author: —
Creator: —
CVSS: 7.5 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

NVD status

Status: Analyzed — CVE has had analysis completed and all data associations made.
Source: 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92
NVD: View on NVD

Affected products (CPE)

Product	CPE
djangoproject / django	`cpe:2.3:a:djangoproject:django::::::::`
djangoproject / django	`cpe:2.3:a:djangoproject:django::::::::`
djangoproject / django	`cpe:2.3:a:djangoproject:django::::::::`