CVE-2025-64458 is a vulnerability rooted in inefficient algorithmic complexity (CWE-407) related to Unicode normalization in the Django web framework. The issue arises because Python's NFKC (Normalization Form KC) normalization is notably slow on Windows operating systems. Django versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8 are affected. The vulnerability specifically impacts the Django functions django.http.HttpResponseRedirect, django.http.HttpResponsePermanentRedirect, and the shortcut django.shortcuts.redirect, which internally perform Unicode normalization on input strings. An attacker can craft HTTP requests containing an extremely large number of Unicode characters that trigger the slow normalization process, causing the server to spend excessive CPU time processing these requests. This results in a denial-of-service (DoS) condition by exhausting server resources and degrading availability. The vulnerability does not impact confidentiality or integrity but severely affects availability. It requires no privileges or user interaction and can be exploited remotely over the network. Although earlier unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated, they may also be vulnerable. No public exploits have been reported yet. The CVSS v3.1 base score is 7.5, reflecting high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability. The issue was responsibly disclosed by Seokchan Yoon and is acknowledged by the Django project.

The primary impact of CVE-2025-64458 is a denial-of-service condition caused by resource exhaustion on affected Django web servers running on Windows. Organizations relying on Django for web applications may experience service outages or degraded performance when targeted by attackers sending maliciously crafted requests with large Unicode payloads. This can disrupt business operations, degrade user experience, and potentially cause cascading failures in dependent systems. Since the vulnerability affects core redirect functions, it may impact a wide range of Django-based applications that use these common HTTP response utilities. The lack of authentication or user interaction requirements means that attackers can exploit this vulnerability remotely and anonymously, increasing the risk of widespread attacks. Although no data confidentiality or integrity is compromised, the availability impact can be critical for high-traffic or mission-critical web services. The vulnerability is especially relevant for organizations hosting Django applications on Windows servers, which are more susceptible due to the slow NFKC normalization implementation on that platform. Enterprises in sectors such as finance, healthcare, e-commerce, and government that rely on Django for web infrastructure could face significant operational disruption if exploited.

To mitigate CVE-2025-64458, organizations should promptly upgrade affected Django versions to the fixed releases: 5.1.14 or later, 4.2.26 or later, and 5.2.8 or later. If immediate patching is not feasible, consider the following specific mitigations: 1) Implement input validation and size limits on HTTP request parameters that are processed by redirect functions to reject or truncate excessively large Unicode inputs before normalization occurs. 2) Deploy Web Application Firewalls (WAFs) with custom rules to detect and block requests containing unusually large Unicode payloads targeting redirect endpoints. 3) Monitor server performance metrics and logs for signs of abnormal CPU usage or request patterns indicative of this DoS attack. 4) Where possible, avoid running Django applications on Windows servers until patched, or isolate such servers behind additional filtering layers. 5) Review application code to minimize reliance on redirect functions that perform Unicode normalization or replace them with safer alternatives if available. 6) Employ rate limiting on endpoints that use these redirect functions to reduce the impact of potential abuse. These targeted mitigations complement patching and help reduce the attack surface and impact of exploitation.