Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for asgiref by djangoproject

    CVE-2025-14550 (GCVE-0-2025-14550)

    Vulnerability from nvd – Published: 2026-02-03 14:38 – Updated: 2026-02-03 16:27
    VLAI
    Title
    Potential denial-of-service vulnerability via repeated headers when using ASGI
    Summary
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.2 (semver)
    Unaffected: 6.0.2 (semver)
    Affected: 5.2 , < 5.2.11 (semver)
    Unaffected: 5.2.11 (semver)
    Affected: 4.2 , < 4.2.28 (semver)
    Unaffected: 4.2.28 (semver)
    Create a notification for this product.
    djangoproject asgiref Affected: 3 , < 3.11.1 (semver)
    Unaffected: 3.11.1 (semver)
    Create a notification for this product.
    Date Public
    2026-02-03 08:00
    Credits
    Jiyong Yang Jake Howard Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14550",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T16:27:25.280447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T16:27:38.976Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.2",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.11",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.28",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.28",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.org/project/asgiref/",
              "defaultStatus": "unaffected",
              "packageName": "asgiref",
              "product": "asgiref",
              "repo": "https://github.com/django/asgiref/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "3.11.1",
                  "status": "affected",
                  "version": "3",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.11.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jiyong Yang"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-02-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003e`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Jiyong Yang for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130: Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "moderate"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T14:38:15.875Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-14T18:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2025-12-16T18:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-02-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability via repeated headers when using ASGI",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2025-14550",
        "datePublished": "2026-02-03T14:38:15.875Z",
        "dateReserved": "2025-12-11T20:08:21.400Z",
        "dateUpdated": "2026-02-03T16:27:38.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14550 (GCVE-0-2025-14550)

    Vulnerability from cvelistv5 – Published: 2026-02-03 14:38 – Updated: 2026-02-03 16:27
    VLAI
    Title
    Potential denial-of-service vulnerability via repeated headers when using ASGI
    Summary
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    DSF
    Impacted products
    Vendor Product Version
    djangoproject Django Affected: 6.0 , < 6.0.2 (semver)
    Unaffected: 6.0.2 (semver)
    Affected: 5.2 , < 5.2.11 (semver)
    Unaffected: 5.2.11 (semver)
    Affected: 4.2 , < 4.2.28 (semver)
    Unaffected: 4.2.28 (semver)
    Create a notification for this product.
    djangoproject asgiref Affected: 3 , < 3.11.1 (semver)
    Unaffected: 3.11.1 (semver)
    Create a notification for this product.
    Date Public
    2026-02-03 08:00
    Credits
    Jiyong Yang Jake Howard Jacob Walls
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14550",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T16:27:25.280447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T16:27:38.976Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pypi.org/project/Django/",
              "defaultStatus": "unaffected",
              "packageName": "django",
              "product": "Django",
              "repo": "https://github.com/django/django/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "6.0.2",
                  "status": "affected",
                  "version": "6.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "6.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "5.2.11",
                  "versionType": "semver"
                },
                {
                  "lessThan": "4.2.28",
                  "status": "affected",
                  "version": "4.2",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "4.2.28",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pypi.org/project/asgiref/",
              "defaultStatus": "unaffected",
              "packageName": "asgiref",
              "product": "asgiref",
              "repo": "https://github.com/django/asgiref/",
              "vendor": "djangoproject",
              "versions": [
                {
                  "lessThan": "3.11.1",
                  "status": "affected",
                  "version": "3",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.11.1",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Jiyong Yang"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Jake Howard"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Jacob Walls"
            }
          ],
          "datePublic": "2026-02-03T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\u003c/p\u003e\u003cp\u003e`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Jiyong Yang for reporting this issue.\u003c/p\u003e"
                }
              ],
              "value": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n`ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Jiyong Yang for reporting this issue."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130: Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
                  "value": "moderate"
                },
                "type": "Django severity rating"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-407",
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T14:38:15.875Z",
            "orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
            "shortName": "DSF"
          },
          "references": [
            {
              "name": "Django security archive",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://docs.djangoproject.com/en/dev/releases/security/"
            },
            {
              "name": "Django releases announcements",
              "tags": [
                "mailing-list"
              ],
              "url": "https://groups.google.com/g/django-announce"
            },
            {
              "name": "Django security releases issued: 6.0.2, 5.2.11, and 4.2.28",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-14T18:00:00.000Z",
              "value": "Initial report received."
            },
            {
              "lang": "en",
              "time": "2025-12-16T18:00:00.000Z",
              "value": "Vulnerability confirmed."
            },
            {
              "lang": "en",
              "time": "2026-02-03T08:00:00.000Z",
              "value": "Security release issued."
            }
          ],
          "title": "Potential denial-of-service vulnerability via repeated headers when using ASGI",
          "x_generator": {
            "engine": "cvelib 1.8.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
        "assignerShortName": "DSF",
        "cveId": "CVE-2025-14550",
        "datePublished": "2026-02-03T14:38:15.875Z",
        "dateReserved": "2025-12-11T20:08:21.400Z",
        "dateUpdated": "2026-02-03T16:27:38.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }