Denial-of-Service Vulnerability in Django XML Deserialization Process
CVE-2025-64460

7.5HIGH

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
2 December 2025

What is CVE-2025-64460?

An issue in the Django XML deserialization process can lead to a denial-of-service attack due to algorithmic complexity in handling specially crafted XML input. The affected versions of Django, including 5.2, 5.1, and 4.2, may experience CPU and memory exhaustion when processing such input through the XML Deserializer. Earlier versions like 5.0.x, 4.1.x, and 3.2.x are not officially evaluated but could also be at risk. This vulnerability emphasizes the importance of maintaining updated software to safeguard against potential exploits.

Affected Version(s)

Django 5.2 < 5.2.9

Django 5.1 < 5.1.15

Django 4.2 < 4.2.27

References

https://docs.djangoproject.com/en/dev/releases/security/
vendor-advisory
https://groups.google.com/g/django-announce
mailing-list
https://www.djangoproject.com/weblog/2025/dec/02/security...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Seokchan Yoon
Shai Berger
Natalia Bidart
JSON
.