VDB
BIT-DJANGO-2025-14550
BIT-DJANGO-2025-14550
PUBLISHED
CVSS 7.5 HIGH
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| djangoproject | Django | 6.0, 6.0.2, 5.2 |
| djangoproject | asgiref | 3, 3.11.1 |
Timeline
- Feb 3, 2026 CVE Published
- Feb 3, 2026 PoC Published
- Feb 3, 2026 PoC Published
- Feb 3, 2026 PoC Published
- Feb 13, 2026 PoC Published
References
- Django security archive vendor-advisory
- Django releases announcements mailing-list
- Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 vendor-advisory