Share
## https://sploitus.com/exploit?id=48308444-4E1C-5C13-98E8-B9428159C349
# CVE-2025-64458 — Django Redirect DoS on Windows

## Description
A denial-of-service (DoS) issue in Django’s redirect responses allows an attacker to trigger excessive CPU work during URL normalization when constructing redirect responses. On Windows, Python’s Unicode NFKC normalization is particularly slow. As a result, creating `HttpResponseRedirect`/`HttpResponsePermanentRedirect` (or using `django.shortcuts.redirect()`) with attacker‑controlled, very large Unicode URLs can cause pathological processing times, leading to request thread exhaustion and service slowdown/outage.

This issue is a follow‑up to CVE‑2025‑27556 and specifically impacts Windows due to the performance characteristics of `unicodedata.normalize()` on that platform.

## Impact
- Unauthenticated DoS via endpoints that reflect or use user‑supplied redirect targets (e.g., `next`/`return_to` parameters, or app logic returning a redirect using untrusted input).
- Affects Django’s redirect classes: `HttpResponseRedirect` (302) and `HttpResponsePermanentRedirect` (301), as well as `django.shortcuts.redirect()`.
- Severity: High (as noted in Django’s release notes). Linux/macOS are far less impacted; Windows shows significant slowdowns.

## What the PoC (`poc.py`) Demonstrates
- Builds extremely long URLs by repeating a full‑width Unicode letter in the hostname (e.g., `A`), e.g., `https://AA…/`.
- Repeatedly instantiates `HttpResponseRedirect(url)`, which triggers URL normalization (`iri_to_uri()`) and splitting (`urlsplit()`), exercising the slow path on Windows.
- Prints average time per instantiation across increasing URL sizes, showing how computation time grows with very large Unicode inputs.
- On patched Django, overly long redirect targets are rejected early with `DisallowedRedirect` (see Patch Summary), preventing the expensive normalization work.

## Patch Summary (c880530ddd4f)
- Adds a length guard to redirect targets in `HttpResponseRedirectBase.__init__`:
  - Imports `MAX_URL_LENGTH` from `django.utils.http`.
  - Converts the target to `str` and raises `DisallowedRedirect` if `len(redirect_to_str) > MAX_URL_LENGTH` before calling `urlsplit()`.
- Extends tests to ensure excessively long Unicode URLs raise `DisallowedRedirect`.
- Documents the CVE in the 4.2.26, 5.1.14, and 5.2.8 release notes as a Windows‑specific DoS risk due to slow NFKC normalization.

## Affected/Fixed Versions
- Fixed in: 4.2.26, 5.1.14, 5.2.8.
- Older patch levels are vulnerable on Windows when redirect targets derive from untrusted input.

## Reference
- Upstream patch diff: https://github.com/django/django/commit/c880530ddd4fabd5939bab0e148bebe36699432a.diff