← back
CVE-2022-41323

CVE-2022-41323

CVSS 7.5 HIGHEPSS 2.7%CWE-1333
In short

Django's internationalized URLs feature had a flaw where the locale parameter was processed as a regular expression, allowing attackers to cause denial of service by submitting specially crafted locale values that would consume excessive server resources.

Technical detail

A regular expression denial of service (ReDoS) vulnerability exists in Django's URL internationalization handling where user-supplied locale parameters are compiled as regex patterns without proper validation. An unauthenticated attacker can submit malicious locale strings to trigger catastrophic backtracking, exhausting CPU resources and causing application unavailability.

Summary generated and translated by AI from the official description.
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://docs.djangoproject.com/en/4.0/releases/security/https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP/https://security.netapp.com/advisory/ntap-20221124-0001/https://www.djangoproject.com/weblog/2022/oct/04/security-releases/