CVE-2023-36053
CVE-2023-36053
In short
Django's email and URL validators are vulnerable to ReDoS attacks, where extremely long domain names with many labels can cause the validator to hang or consume excessive CPU resources, potentially freezing the application.
Technical detail
EmailValidator and URLValidator in Django use regular expressions susceptible to catastrophic backtracking when processing URLs or emails with numerous domain labels. An attacker can craft inputs with very large domain name structures to trigger exponential regex matching, causing denial of service without authentication required.
Summary generated and translated by AI from the official description.
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://docs.djangoproject.com/en/4.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.debian.org/debian-lts-announce/2023/07/msg00022.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://www.debian.org/security/2023/dsa-5465https://www.djangoproject.com/weblog/2023/jul/03/security-releases/