CVE-2025-64460 is a vulnerability identified in the Django web framework affecting versions 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. The root cause is an inefficient algorithmic complexity in the function django.core.serializers.xml_serializer.getInnerText(), which is part of the XML deserialization mechanism. This function processes XML input to extract inner text, but due to suboptimal handling of certain XML structures, specially crafted XML payloads can cause the function to consume excessive CPU cycles and memory resources. This leads to a denial-of-service condition where the server becomes unresponsive or crashes due to resource exhaustion. The vulnerability does not affect confidentiality or integrity but severely impacts availability. It can be exploited remotely without authentication or user interaction, making it highly accessible to attackers. Earlier unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated but may also be vulnerable. No public exploits have been reported yet, but the high CVSS score of 7.5 reflects the ease of exploitation and potential impact. The issue was responsibly disclosed by Seokchan Yoon and addressed in subsequent patch releases. Since Django is widely used globally for web application development, this vulnerability poses a broad risk to many organizations that process XML data via Django's serialization framework.

The primary impact of CVE-2025-64460 is denial-of-service through resource exhaustion (CPU and memory), which can cause affected Django-based applications to become unresponsive or crash. This disrupts service availability, potentially affecting business operations, user experience, and critical online services. Since the vulnerability can be exploited remotely without authentication or user interaction, attackers can launch DoS attacks at scale, potentially targeting high-value web applications, APIs, or backend services using Django's XML deserialization. Organizations relying on Django for web services that accept XML input are at risk of service outages, which could lead to financial losses, reputational damage, and operational downtime. The vulnerability does not compromise data confidentiality or integrity but can be leveraged as part of a broader attack chain to degrade service or distract security teams. Given Django's widespread use in various sectors including technology, finance, healthcare, and government, the impact can be significant globally.

1. Immediately upgrade Django to the fixed versions: 5.2.9 or later, 5.1.15 or later, and 4.2.27 or later. 2. If upgrading is not immediately feasible, implement network-level protections such as rate limiting and web application firewalls (WAFs) to detect and block suspicious XML payloads or excessive requests targeting XML deserialization endpoints. 3. Review application code to minimize or avoid accepting untrusted XML input for deserialization, or replace XML deserialization with safer data formats like JSON where possible. 4. Employ input validation and XML schema validation to reject malformed or overly complex XML documents before processing. 5. Monitor application performance and resource usage to detect abnormal spikes indicative of exploitation attempts. 6. Use runtime application self-protection (RASP) tools to detect and mitigate resource exhaustion attacks dynamically. 7. Conduct regular security assessments and code reviews focusing on deserialization components. 8. Stay informed on Django security advisories for any updates or additional patches related to this vulnerability.