Associated Vulnerability
Title:Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows (CVE-2025-64458)Description:An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
Description
A PoC script for demonstrating CVE 2025-64458, found in Django, potential DoS in `HttpResponseRedirect`/`HttpResponsePermanentRedirect` on Windows.
Readme
# CVE-2025-64458 — Django Redirect DoS on Windows
## Description
A denial-of-service (DoS) issue in Django’s redirect responses allows an attacker to trigger excessive CPU work during URL normalization when constructing redirect responses. On Windows, Python’s Unicode NFKC normalization is particularly slow. As a result, creating `HttpResponseRedirect`/`HttpResponsePermanentRedirect` (or using `django.shortcuts.redirect()`) with attacker‑controlled, very large Unicode URLs can cause pathological processing times, leading to request thread exhaustion and service slowdown/outage.
This issue is a follow‑up to CVE‑2025‑27556 and specifically impacts Windows due to the performance characteristics of `unicodedata.normalize()` on that platform.
## Impact
- Unauthenticated DoS via endpoints that reflect or use user‑supplied redirect targets (e.g., `next`/`return_to` parameters, or app logic returning a redirect using untrusted input).
- Affects Django’s redirect classes: `HttpResponseRedirect` (302) and `HttpResponsePermanentRedirect` (301), as well as `django.shortcuts.redirect()`.
- Severity: High (as noted in Django’s release notes). Linux/macOS are far less impacted; Windows shows significant slowdowns.
## What the PoC (`poc.py`) Demonstrates
- Builds extremely long URLs by repeating a full‑width Unicode letter in the hostname (e.g., `A`), e.g., `https://AA…/`.
- Repeatedly instantiates `HttpResponseRedirect(url)`, which triggers URL normalization (`iri_to_uri()`) and splitting (`urlsplit()`), exercising the slow path on Windows.
- Prints average time per instantiation across increasing URL sizes, showing how computation time grows with very large Unicode inputs.
- On patched Django, overly long redirect targets are rejected early with `DisallowedRedirect` (see Patch Summary), preventing the expensive normalization work.
## Patch Summary (c880530ddd4f)
- Adds a length guard to redirect targets in `HttpResponseRedirectBase.__init__`:
- Imports `MAX_URL_LENGTH` from `django.utils.http`.
- Converts the target to `str` and raises `DisallowedRedirect` if `len(redirect_to_str) > MAX_URL_LENGTH` before calling `urlsplit()`.
- Extends tests to ensure excessively long Unicode URLs raise `DisallowedRedirect`.
- Documents the CVE in the 4.2.26, 5.1.14, and 5.2.8 release notes as a Windows‑specific DoS risk due to slow NFKC normalization.
## Affected/Fixed Versions
- Fixed in: 4.2.26, 5.1.14, 5.2.8.
- Older patch levels are vulnerable on Windows when redirect targets derive from untrusted input.
## Reference
- Upstream patch diff: https://github.com/django/django/commit/c880530ddd4fabd5939bab0e148bebe36699432a.diff
File Snapshot
[4.0K] /data/pocs/9d6296f9958f996449f3428dfc0fc128cd211f14
├── [1.3K] poc.py
├── [2.6K] README.md
└── [ 46] requirements.txt
1 directory, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →