Bug 2418366 (CVE-2025-64460)

Summary: CVE-2025-64460 Django: Django: Algorithmic complexity in XML Deserializer leads to denial of service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anthomas, brasmith, carogers, caswilli, cochase, dnakabaa, dranck, eglynn, ehelms, erezende, ggainey, haoli, hkataria, jajackso, jcammara, jjoyce, jmitchel, jneedle, joehler, jschluet, juwatts, jwong, kaycoth, kegrant, koliveir, kshier, lcouzens, lhh, mabashia, mburns, mgarciac, mhulan, mskarbek, nmoumoul, omaciel, osousa, pbraun, pcreech, rchan, shvarugh, simaishi, smallamp, smcdonal, stcannon, teagle, tfister, thavo, tmalecek, ttakamiy, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Django. This vulnerability allows a remote attacker to cause a potential denial-of-service (DoS) attack triggering Central Processing Unit (CPU) and memory exhaustion via specially crafted Extensible Markup Language (XML) input processed by the XML Deserializer.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-02 16:01:33 UTC 
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Comment 4 errata-xmlrpc 2026-01-26 19:36:00 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:1249 https://access.redhat.com/errata/RHSA-2026:1249
Comment 5 errata-xmlrpc 2026-01-28 15:23:24 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2026:1497 https://access.redhat.com/errata/RHSA-2026:1497
Comment 6 errata-xmlrpc 2026-01-28 17:22:57 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:1506 https://access.redhat.com/errata/RHSA-2026:1506