Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows.

jacobtylerwalls · nessita · commit c880530ddd4f · 2025-11-05T09:20:57.000-03:00
Thanks Seokchan Yoon for the report, Markus Holtermann for the triage, and Jake Howard for the review. Follow-up to CVE-2025-27556 and 39e2297.
diff --git a/django/http/response.py b/django/http/response.py
@@ -22,7 +22,7 @@
 from django.utils.datastructures import CaseInsensitiveMapping
 from django.utils.encoding import iri_to_uri
 from django.utils.functional import cached_property
-from django.utils.http import content_disposition_header, http_date
+from django.utils.http import MAX_URL_LENGTH, content_disposition_header, http_date
 from django.utils.regex_helper import _lazy_re_compile
 
 _charset_from_content_type_re = _lazy_re_compile(
@@ -631,7 +631,12 @@ class HttpResponseRedirectBase(HttpResponse):
     def __init__(self, redirect_to, preserve_request=False, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self["Location"] = iri_to_uri(redirect_to)
-        parsed = urlsplit(str(redirect_to))
+        redirect_to_str = str(redirect_to)
+        if len(redirect_to_str) > MAX_URL_LENGTH:
+            raise DisallowedRedirect(
+                f"Unsafe redirect exceeding {MAX_URL_LENGTH} characters"
+            )
+        parsed = urlsplit(redirect_to_str)
         if preserve_request:
             self.status_code = self.status_code_preserve_request
         if parsed.scheme and parsed.scheme not in self.allowed_schemes:
diff --git a/docs/releases/4.2.26.txt b/docs/releases/4.2.26.txt
@@ -7,4 +7,12 @@ Django 4.2.26 release notes
 Django 4.2.26 fixes one security issue with severity "high" and one security
 issue with severity "moderate" in 4.2.25.
 
-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
diff --git a/docs/releases/5.1.14.txt b/docs/releases/5.1.14.txt
@@ -7,4 +7,12 @@ Django 5.1.14 release notes
 Django 5.1.14 fixes one security issue with severity "high" and one security
 issue with severity "moderate" in 5.1.13.
 
-...
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
diff --git a/docs/releases/5.2.8.txt b/docs/releases/5.2.8.txt
@@ -8,6 +8,16 @@ Django 5.2.8 fixes one security issue with severity "high", one security issue
 with severity "moderate", and several bugs in 5.2.7. It also adds compatibility
 with Python 3.14.
 
+CVE-2025-64458: Potential denial-of-service vulnerability in ``HttpResponseRedirect`` and ``HttpResponsePermanentRedirect`` on Windows
+======================================================================================================================================
+
+Python's :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, :class:`~django.http.HttpResponseRedirect`,
+:class:`~django.http.HttpResponsePermanentRedirect`, and the shortcut
+:func:`redirect() <django.shortcuts.redirect>` were subject to a potential
+denial-of-service attack via certain inputs with a very large number of Unicode
+characters (follow up to :cve:`2025-27556`).
+
 Bugfixes
 ========
 
diff --git a/tests/httpwrappers/tests.py b/tests/httpwrappers/tests.py
@@ -24,6 +24,7 @@
 )
 from django.test import SimpleTestCase
 from django.utils.functional import lazystr
+from django.utils.http import MAX_URL_LENGTH
 
 
 class QueryDictTests(SimpleTestCase):
@@ -490,6 +491,7 @@ def test_unsafe_redirect(self):
             'data:text/html,<script>window.alert("xss")</script>',
             "mailto:test@example.com",
             "file:///etc/passwd",
+            "é" * (MAX_URL_LENGTH + 1),
         ]
         for url in bad_urls:
             with self.assertRaises(DisallowedRedirect):

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@`
`24`	`24`	`)`
`25`	`25`	`from django.test import SimpleTestCase`
`26`	`26`	`from django.utils.functional import lazystr`
	`27`	`+from django.utils.http import MAX_URL_LENGTH`
`27`	`28`
`28`	`29`
`29`	`30`	`class QueryDictTests(SimpleTestCase):`
`@@ -490,6 +491,7 @@ def test_unsafe_redirect(self):`
`490`	`491`	`'data:text/html,<script>window.alert("xss")</script>',`
`491`	`492`	`"mailto:test@example.com",`
`492`	`493`	`"file:///etc/passwd",`
	`494`	`+ "é" * (MAX_URL_LENGTH + 1),`
`493`	`495`	`]`
`494`	`496`	`for url in bad_urls:`
`495`	`497`	`with self.assertRaises(DisallowedRedirect):`