CVE-2026-25673 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Django web framework, specifically versions 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. The issue stems from the URLField.to_python() method, which internally calls Python's urllib.parse.urlsplit() function. On Windows platforms, urlsplit() performs Unicode Normalization Form KC (NFKC) normalization on URL inputs. This normalization process is disproportionately slow when processing certain Unicode characters, leading to excessive CPU consumption. An attacker can exploit this by crafting large URLs containing these specific Unicode characters and sending them to a Django application running on Windows. This results in a denial of service (DoS) condition by exhausting server resources, potentially making the application unresponsive. Earlier unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) have not been evaluated but may also be vulnerable. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The vulnerability was responsibly disclosed by Seokchan Yoon. Since the flaw is triggered remotely without authentication or user interaction, it poses a significant risk to affected deployments, especially those exposed to untrusted internet traffic. The patch status indicates fixes are available in the specified versions, but no direct patch links were provided in the source data.

The primary impact of CVE-2026-25673 is a denial of service (DoS) condition caused by excessive CPU consumption during URL parsing on Windows servers running vulnerable Django versions. This can lead to application unavailability, degraded performance, and potential cascading failures in dependent services. Organizations relying on Django for web applications, APIs, or backend services may experience service interruptions, affecting user experience and business operations. The vulnerability can be exploited remotely without authentication, increasing the attack surface. Since the issue exploits Unicode normalization inefficiencies, automated attack tools could easily generate malicious payloads, potentially leading to large-scale DoS attacks. This risk is heightened for organizations with public-facing Django applications on Windows infrastructure. Additionally, the lack of evaluation for earlier unsupported versions means some legacy systems may unknowingly remain vulnerable. The disruption could affect industries relying heavily on Django, including technology, finance, education, and government sectors, potentially causing reputational damage and financial losses.

To mitigate CVE-2026-25673, organizations should upgrade Django to the fixed versions: 6.0.3 or later, 5.2.12 or later, and 4.2.29 or later. If immediate upgrading is not feasible, implement input validation to reject unusually large URLs or those containing suspicious Unicode characters known to trigger slow normalization. Deploy rate limiting and request throttling at the web server or application firewall level to reduce the impact of potential abuse. Monitor application logs for abnormal spikes in URL parsing times or CPU usage indicative of exploitation attempts. Consider isolating Django applications behind reverse proxies that can filter or block malformed requests. For Windows deployments, evaluate alternative URL parsing methods or patch urllib.parse.urlsplit() if possible. Regularly review and update dependencies and maintain an incident response plan for DoS events. Finally, audit legacy Django versions in use and plan for upgrades or compensating controls since unsupported versions may also be vulnerable.