CVE-2025-64460: CWE-407: Inefficient Algorithmic Complexity in djangoproject Django
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
AI Analysis
Technical Summary
CVE-2025-64460 is a vulnerability categorized under CWE-407 (Inefficient Algorithmic Complexity) found in the Django web framework versions 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. The flaw exists in the XML deserialization process, specifically within the django.core.serializers.xml_serializer.getInnerText() function. This function processes XML input to extract inner text but can be exploited by an attacker supplying specially crafted XML data designed to cause excessive computational overhead. This leads to a denial-of-service condition by exhausting CPU and memory resources on the server. The vulnerability is remotely exploitable without requiring any authentication or user interaction, making it a network-level threat. Although earlier unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) have not been evaluated, they may also be vulnerable. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and the impact on availability. No public exploits have been reported yet, but the potential for disruption is significant, especially for applications relying on XML deserialization. The vulnerability was responsibly disclosed by Seokchan Yoon and is publicly documented as of December 2025.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability of web applications built on affected Django versions. Attackers can remotely trigger denial-of-service conditions, potentially causing service outages, degraded performance, and resource exhaustion. This can disrupt business operations, especially for organizations providing critical online services or handling high volumes of XML data. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the threat surface. Organizations in sectors such as finance, e-commerce, government services, and healthcare that rely on Django-based applications are particularly vulnerable. Prolonged outages could lead to reputational damage, financial losses, and regulatory scrutiny under EU data protection and service availability mandates. Additionally, the potential for cascading effects exists if backend systems or APIs rely on vulnerable XML deserialization.
Mitigation Recommendations
The primary mitigation is to upgrade Django installations to the fixed versions: 5.2.9 or later, 5.1.15 or later, and 4.2.27 or later. Organizations should prioritize patching production environments where XML deserialization is used. In addition to patching, implement strict input validation and sanitization on XML inputs to reduce the risk of malicious payloads causing resource exhaustion. Employ rate limiting and anomaly detection on endpoints that accept XML data to detect and block abnormal request patterns indicative of an attack. Consider disabling XML deserialization if not required or replacing it with safer serialization formats like JSON. Monitor application logs and resource usage metrics to identify potential exploitation attempts. Conduct regular security assessments and code reviews focusing on deserialization logic. Finally, maintain an incident response plan to quickly mitigate and recover from potential DoS attacks.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Italy, Spain
CVE-2025-64460: CWE-407: Inefficient Algorithmic Complexity in djangoproject Django
Description
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-64460 is a vulnerability categorized under CWE-407 (Inefficient Algorithmic Complexity) found in the Django web framework versions 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. The flaw exists in the XML deserialization process, specifically within the django.core.serializers.xml_serializer.getInnerText() function. This function processes XML input to extract inner text but can be exploited by an attacker supplying specially crafted XML data designed to cause excessive computational overhead. This leads to a denial-of-service condition by exhausting CPU and memory resources on the server. The vulnerability is remotely exploitable without requiring any authentication or user interaction, making it a network-level threat. Although earlier unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) have not been evaluated, they may also be vulnerable. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and the impact on availability. No public exploits have been reported yet, but the potential for disruption is significant, especially for applications relying on XML deserialization. The vulnerability was responsibly disclosed by Seokchan Yoon and is publicly documented as of December 2025.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the availability of web applications built on affected Django versions. Attackers can remotely trigger denial-of-service conditions, potentially causing service outages, degraded performance, and resource exhaustion. This can disrupt business operations, especially for organizations providing critical online services or handling high volumes of XML data. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the threat surface. Organizations in sectors such as finance, e-commerce, government services, and healthcare that rely on Django-based applications are particularly vulnerable. Prolonged outages could lead to reputational damage, financial losses, and regulatory scrutiny under EU data protection and service availability mandates. Additionally, the potential for cascading effects exists if backend systems or APIs rely on vulnerable XML deserialization.
Mitigation Recommendations
The primary mitigation is to upgrade Django installations to the fixed versions: 5.2.9 or later, 5.1.15 or later, and 4.2.27 or later. Organizations should prioritize patching production environments where XML deserialization is used. In addition to patching, implement strict input validation and sanitization on XML inputs to reduce the risk of malicious payloads causing resource exhaustion. Employ rate limiting and anomaly detection on endpoints that accept XML data to detect and block abnormal request patterns indicative of an attack. Consider disabling XML deserialization if not required or replacing it with safer serialization formats like JSON. Monitor application logs and resource usage metrics to identify potential exploitation attempts. Conduct regular security assessments and code reviews focusing on deserialization logic. Finally, maintain an incident response plan to quickly mitigate and recover from potential DoS attacks.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- DSF
- Date Reserved
- 2025-11-04T14:35:57.527Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 692f093f16d939a309c309a0
Added to database: 12/2/2025, 3:43:59 PM
Last enriched: 12/9/2025, 4:51:04 PM
Last updated: 1/16/2026, 7:13:44 PM
Views: 305
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-68924: CWE-829 Inclusion of Functionality from Untrusted Control Sphere in Umbraco Forms
HighCVE-2025-48647: Vulnerability in Google Google Devices
HighCVE-2025-61873: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in bestpractical Request Tracker
LowCVE-2025-15032: CWE-1021 Improper Restriction of Rendered UI Layers or Frames in The Browser Company of New York Dia
HighCVE-2025-43904: CWE-863 Incorrect Authorization in SchedMD Slurm
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.