VDB

BIT-DJANGO-2025-14550

BIT-DJANGO-2025-14550 PUBLISHED CVSS 7.5 HIGH

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
djangoprojectDjango6.0, 6.0.2, 5.2
djangoprojectasgiref3, 3.11.1

Timeline

  • Feb 3, 2026 CVE Published
  • Feb 3, 2026 PoC Published
  • Feb 3, 2026 PoC Published
  • Feb 3, 2026 PoC Published
  • Feb 13, 2026 PoC Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›