CVE-2025-64458 is a vulnerability classified under CWE-407 (Inefficient Algorithmic Complexity) affecting the Django web framework versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The root cause is the slow performance of NFKC (Normalization Form KC) Unicode normalization on Windows operating systems. Specifically, Django’s HTTP redirect functions—`HttpResponseRedirect`, `HttpResponsePermanentRedirect`, and the shortcut `redirect`—perform NFKC normalization on input strings. When these inputs contain a very large number of Unicode characters, the normalization process becomes computationally expensive, leading to excessive CPU consumption. This inefficiency can be exploited by an attacker to craft malicious HTTP requests with specially constructed Unicode payloads that trigger prolonged processing times, effectively causing a denial-of-service (DoS) condition by exhausting server resources. The vulnerability does not require authentication or user interaction, and it can be triggered remotely over the network. While unsupported Django versions such as 5.0.x, 4.1.x, and 3.2.x were not evaluated, they may also be vulnerable. No public exploits have been reported yet, but the issue is recognized and patched in the latest Django releases. The CVSS v3.1 base score is 7.5, indicating a high severity primarily due to the impact on availability (A:H), with no confidentiality or integrity impact. This vulnerability highlights the risks of algorithmic complexity attacks in web frameworks, especially when handling complex Unicode inputs on Windows platforms.

For European organizations, this vulnerability poses a significant risk to the availability of web applications built on affected Django versions running on Windows servers. Attackers can remotely trigger denial-of-service conditions by sending crafted HTTP redirect requests containing large Unicode payloads, leading to server resource exhaustion and potential downtime. This can disrupt business operations, degrade user experience, and impact services reliant on Django-based web infrastructure. Organizations in sectors with high web service dependency—such as finance, e-commerce, government, and healthcare—may face operational interruptions and reputational damage. Additionally, the ease of exploitation without authentication increases the threat surface, enabling attackers to launch DoS attacks at scale. Although no known exploits are currently active, the vulnerability’s presence in widely used Django versions necessitates urgent remediation to prevent future attacks. The impact is particularly critical for organizations hosting public-facing web applications on Windows platforms, where the inefficient NFKC normalization is most pronounced.

1. Upgrade Django to the latest patched versions: 5.1.14 or later, 4.2.26 or later, and 5.2.8 or later, as these releases contain fixes addressing the inefficient NFKC normalization issue. 2. If immediate upgrade is not feasible, implement input validation to restrict or sanitize Unicode characters in HTTP redirect inputs, limiting the length and complexity of redirect URLs to reduce processing overhead. 3. Deploy rate limiting and request throttling on endpoints that handle redirects to mitigate the risk of automated DoS attempts exploiting this vulnerability. 4. Monitor web server logs and application metrics for abnormal spikes in CPU usage or unusually large redirect requests containing extensive Unicode characters. 5. Consider isolating or migrating Django applications from Windows servers to Linux-based environments where the NFKC normalization performance issue is less severe. 6. Engage in proactive threat hunting to detect potential exploitation attempts targeting this vulnerability. 7. Educate development and security teams about algorithmic complexity attacks and encourage secure coding practices to avoid similar issues in the future.