Timing Attack Vulnerability in Django's Authentication Mechanism
CVE-2025-13473

5.3MEDIUM

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
3 February 2026

What is CVE-2025-13473?

A vulnerability has been identified in the Django framework related to the user authentication function django.contrib.auth.handlers.modwsgi.check_password(). This flaw allows remote attackers to exploit timing differences in the authentication process, enabling them to enumerate valid usernames. Specifically, versions prior to 6.0.2, 5.2.11, and 4.2.28 are at risk of this exposure. Additionally, earlier unsupported versions, such as 5.0.x, 4.1.x, and 3.2.x, may also be vulnerable. The Django team acknowledges Stackered for their contribution in reporting this issue.

Affected Version(s)

Django 6.0 < 6.0.2

Django 5.2 < 5.2.11

Django 4.2 < 4.2.28

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2026/feb/03/security...
vendor-advisory

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stackered
Jake Howard
Jacob Walls
.