CVE-2025-64458 is a vulnerability in the Django web framework affecting versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The root cause is inefficient algorithmic complexity (CWE-407) in the Unicode NFKC normalization process on Windows platforms. Specifically, the functions django.http.HttpResponseRedirect, HttpResponsePermanentRedirect, and the shortcut django.shortcuts.redirect perform NFKC normalization on input strings. On Windows, this normalization is slow and can be exploited by an attacker supplying inputs with a very large number of Unicode characters, causing excessive CPU usage and leading to denial-of-service (DoS). The vulnerability arises because the normalization algorithm's complexity grows disproportionately with input size, allowing attackers to craft inputs that degrade server performance significantly. Earlier unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated but may also be vulnerable. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The issue was responsibly disclosed by Seokchan Yoon. The vulnerability specifically impacts Windows deployments of Django web applications that use the affected redirect functions, which are common in web frameworks for HTTP redirection. Since the attack requires no authentication and can be triggered remotely by sending crafted HTTP requests, it poses a significant risk to availability.

For European organizations, this vulnerability can lead to denial-of-service conditions on web applications built with affected Django versions running on Windows servers. This can cause service outages, degraded user experience, and potential business disruption, especially for public-facing services relying on HTTP redirects. The impact on confidentiality and integrity is minimal as the vulnerability targets availability. However, prolonged outages can indirectly affect organizational reputation and operational continuity. Organizations in sectors such as e-commerce, government services, and finance that rely on Django-based web applications are particularly at risk. The absence of known exploits reduces immediate risk, but the ease of exploitation without authentication and the widespread use of Django in Europe increase the threat potential. Attackers could leverage this vulnerability to disrupt services during critical periods or as part of larger multi-vector attacks. The impact is heightened in environments where Windows servers are used for Django hosting, which is common in mixed-OS enterprise environments.

The primary mitigation is to upgrade Django to the fixed versions: 5.1.14 or later, 4.2.26 or later, or 5.2.8 or later. Organizations should prioritize patching Windows-based Django deployments that utilize the affected redirect functions. If immediate patching is not feasible, implement input validation to limit the size and complexity of Unicode inputs accepted by redirect endpoints. Deploy rate limiting and web application firewalls (WAFs) to detect and block abnormal request patterns with excessive Unicode characters. Monitoring server CPU usage and setting thresholds for alerting on unusual spikes can help detect exploitation attempts early. Consider isolating or restricting access to redirect endpoints if possible. Review application logs for suspicious requests containing large Unicode payloads. Additionally, evaluate the necessity of using the affected redirect functions and replace them with safer alternatives if applicable. Finally, educate development and operations teams about this vulnerability to ensure rapid response and remediation.