Resource exhaustion in Django

GHSA-2hrw-hx67-34x6 · BIT-django-2023-24580 · CVE-2023-24580 · PYSEC-2023-13

Published Feb 15, 2023 · Modified Mar 19, 2025

Description

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-24580
WEB https://github.com/django/django/commit/628b33a854a9c68ec8a0c51f382f304a0044ec92
WEB https://github.com/django/django/commit/83f1ea83e4553e211c1c5a0dfc197b66d4e50432
WEB https://github.com/django/django/commit/a665ed5179f5bbd3db95ce67286d0192eff041d8
WEB https://www.djangoproject.com/weblog/2023/feb/14/security-releases
WEB https://security.netapp.com/advisory/ntap-20230316-0006
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B
WEB https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html
WEB https://groups.google.com/forum/#%21forum/django-announce
WEB https://groups.google.com/forum/#!forum/django-announce
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-13.yaml
PACKAGE https://github.com/django/django
WEB https://docs.djangoproject.com/en/4.1/releases/security
WEB http://www.openwall.com/lists/oss-security/2023/02/14/1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes