CVE-2025-13473 is a vulnerability identified in the Django web framework's authentication mechanism when used with mod_wsgi. Specifically, the issue lies in the django.contrib.auth.handlers.modwsgi.check_password() function, which processes password verification during user authentication. Due to observable timing discrepancies in how the function responds to authentication attempts, remote attackers can perform timing attacks to enumerate valid usernames. This enumeration occurs because the time taken to verify a password differs measurably between existing and non-existing users, leaking information about user validity. The vulnerability affects Django versions 6.0 prior to 6.0.2, 5.2 prior to 5.2.11, and 4.2 prior to 4.2.28. Earlier unsupported versions such as 5.0.x, 4.1.x, and 3.2.x were not evaluated but may also be vulnerable. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-208 (Observable Timing Discrepancy), indicating that the timing side channel can be exploited to gain unauthorized information. This flaw can be leveraged by attackers to enumerate valid usernames remotely without authentication, which can then be used to facilitate further attacks such as password guessing, phishing, or social engineering. The issue is particularly relevant for web applications that rely on Django's mod_wsgi authentication handler and expose login endpoints to the internet. The timing attack requires no user interaction beyond sending authentication requests and measuring response times, making it relatively easy to exploit in automated attack scenarios.

For European organizations, this vulnerability poses a significant risk to the confidentiality of user data by enabling attackers to enumerate valid usernames remotely. This can lead to targeted brute force attacks, credential stuffing, or social engineering campaigns against confirmed users. Organizations with public-facing Django-based web applications, especially those using affected versions and mod_wsgi for authentication, are vulnerable. The exposure of valid usernames can undermine security controls and increase the likelihood of successful account compromise. This is particularly critical for sectors such as finance, healthcare, government, and e-commerce, where user identity protection is paramount. Additionally, the vulnerability could damage organizational reputation and lead to regulatory compliance issues under GDPR if user data is compromised. Although no known exploits are currently in the wild, the ease of exploitation and the widespread use of Django in Europe make this a credible threat that requires immediate attention.

1. Upgrade Django to the latest patched versions: 4.2.28 or later, 5.2.11 or later, and 6.0.2 or later, as these contain fixes for the timing discrepancy in the mod_wsgi authentication handler. 2. If immediate upgrade is not feasible, implement application-level mitigations such as introducing constant-time password verification routines or adding artificial delays to normalize response times for authentication attempts. 3. Employ rate limiting and account lockout policies to reduce the effectiveness of automated timing attacks and brute force attempts. 4. Monitor authentication logs for unusual patterns indicative of enumeration attempts, such as repeated login failures with varying usernames from the same IP address. 5. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block timing attack patterns targeting login endpoints. 6. Educate development and security teams about timing side-channel risks and encourage secure coding practices that avoid leaking sensitive information through response timing. 7. Review and harden authentication workflows, including multi-factor authentication (MFA) adoption, to mitigate risks from compromised credentials following enumeration.