{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-26699", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-19T20:03:03.946Z", "dateReserved": "2025-02-14T00:00:00.000Z", "datePublished": "2025-03-06T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Django", "vendor": "djangoproject", "versions": [{"lessThan": "4.2.20", "status": "affected", "version": "4.2", "versionType": "custom"}, {"lessThan": "5.0.13", "status": "affected", "version": "5.0", "versionType": "custom"}, {"lessThan": "5.1.7", "status": "affected", "version": "5.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-06T18:45:09.686Z"}, "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"url": "https://groups.google.com/g/django-announce"}, {"url": "https://www.djangoproject.com/weblog/2025/mar/06/security-releases/"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.2.20"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.0.13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "5.1.7"}]}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/03/06/12"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-03-19T20:03:03.946Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-06T20:30:28.270345Z", "id": "CVE-2025-26699", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T20:30:47.224Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/03/06/12"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-03-19T20:03:03.946Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-26699", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-06T20:30:28.270345Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T20:30:37.247Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L"}}], "affected": [{"vendor": "djangoproject", "product": "Django", "versions": [{"status": "affected", "version": "4.2", "lessThan": "4.2.20", "versionType": "custom"}, {"status": "affected", "version": "5.0", "lessThan": "5.0.13", "versionType": "custom"}, {"status": "affected", "version": "5.1", "lessThan": "5.1.7", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"url": "https://groups.google.com/g/django-announce"}, {"url": "https://www.djangoproject.com/weblog/2025/mar/06/security-releases/"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.2.20", "versionStartIncluding": "4.2"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.0.13", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.1.7", "versionStartIncluding": "5.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-06T18:45:09.686Z"}}}, "cveMetadata": {"cveId": "CVE-2025-26699", "state": "PUBLISHED", "dateUpdated": "2025-03-19T20:03:03.946Z", "dateReserved": "2025-02-14T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-03-06T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F9422DC-1A04-46D1-AF63-8CCE2771D688", "versionEndExcluding": "4.2.20", "versionStartIncluding": "4.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "93FC8174-6428-4A5A-AB98-1E5ACED4A004", "versionEndExcluding": "5.0.13", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "14F6AF20-1EE1-4A77-8A41-596738672AE2", "versionEndExcluding": "5.1.7", "versionStartIncluding": "5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Django 5.1 anterior a 5.1.7, 5.0 anterior a 5.0.13 y 4.2 anterior a 4.2.20. El m\u00e9todo django.utils.text.wrap() y el filtro de plantilla wordwrap est\u00e1n sujetos a un posible ataque de denegaci\u00f3n de servicio cuando se utilizan con cadenas muy largas. "}], "id": "CVE-2025-26699", "lastModified": "2025-10-03T00:32:38.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-06T19:15:27.683", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory", "Release Notes"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://groups.google.com/g/django-announce"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory", "Release Notes"], "url": "https://www.djangoproject.com/weblog/2025/mar/06/security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2025/03/06/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3709", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-server-rhel9:1.13.1-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-04-08T00:00:00Z"}, {"advisory": "RHSA-2025:8609", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-django-0:4.2.21-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:8609", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-django-0:4.2.21-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:3160", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "python3.11-django-0:4.2.20-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3162", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "ansible-automation-platform-25/lightspeed-rhel8:2.5.250318-2", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:4553", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "automation-controller-0:4.6.12-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:3160", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package": "python3.11-django-0:4.2.20-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:4553", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package": "automation-controller-0:4.6.12-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date": "2025-05-06T00:00:00Z"}], "bugzilla": {"description": "django: Potential denial-of-service vulnerability in django.utils.text.wrap()", "id": "2348993", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348993"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.", "A potential denial of service vulnerability exists in django.utils.text.wrap() and the wordwrap template filter. When processing extremely long strings, these functions may cause excessive resource consumption, potentially leading to service disruption."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-26699", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}], "public_date": "2025-03-06T14:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-26699\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-26699\nhttps://github.com/advisories/GHSA-p3fp-8748-vqfq"], "statement": "This vulnerability is rated as a Moderate severity because it exposes the wrap() method and wordwrap template filter to a potential denial of service attack. Malicious input containing extremely long strings could cause excessive processing, leading to resource exhaustion. However, it does not affect data confidentiality or integrity.", "threat_severity": "Moderate"}

{}