Platform
python
Component
django
Fixed in
6.0.4
5.2.13
4.2.30
6.0.4
4.2.30
4.2.30
CVE-2026-33033 is a Denial of Service (DoS) vulnerability affecting the Django web framework. A malicious actor can exploit this flaw by submitting multipart uploads with Content-Transfer-Encoding: base64 and excessive whitespace, leading to performance degradation. This vulnerability impacts Django versions 6.0.3 and earlier, 5.2.12 and earlier, and 4.2.29 and earlier; other unsupported versions may also be vulnerable. A patch is available in Django 6.0.4, 5.2.13, and 4.2.30.
A denial-of-service (DoS) vulnerability has been identified in Django, affecting versions 6.0 (prior to 6.0.4), 5.2 (prior to 5.2.13), and 4.2 (prior to 4.2.30). The MultiPartParser component is susceptible to an attack where a remote attacker can degrade server performance by submitting multipart uploads with Content-Transfer-Encoding: base64 including excessive whitespace. This manipulation can consume significant server resources, leading to slowness or even the inability to respond to other requests. While unsupported series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated, they may also be vulnerable. The severity of this vulnerability is rated as CVSS 6.5.
An attacker could exploit this vulnerability by sending an HTTP POST request with a multipart/form-data upload. The upload would contain multiple parts, each encoded in base64 with a significant amount of whitespace before or after the encoded data. Django's MultiPartParser, upon processing this request, would spend a disproportionate amount of resources removing the whitespace, potentially overloading the server and causing a denial of service. The ease of exploitation lies in the simplicity of constructing a malicious HTTP request and the wide availability of tools to do so.
Exploit Status
EPSS
0.13% (33% percentile)
CVSS Vector
To mitigate this vulnerability, it is highly recommended to update to the latest Django version available for your series: 6.0.4, 5.2.13, or 4.2.30. These versions include a fix that addresses how MultiPartParser handles base64 encoding with excessive whitespace. If an immediate update is not possible, consider implementing additional security measures, such as limiting the maximum size of multipart uploads and monitoring server resource usage for potential DoS attacks. Furthermore, review and strengthen your Django application's security policies to prevent the entry of malicious data.
Actualice Django a la versión 6.0.4, 5.2.13 o 4.2.30 o superior para mitigar la vulnerabilidad de denegación de servicio. Esta vulnerabilidad permite a atacantes remotos degradar el rendimiento del servidor al enviar cargas multipartes con codificación base64 y espacios en blanco excesivos.
Vulnerability analysis and critical alerts directly to your inbox.
Versions 6.0 (prior to 6.0.4), 5.2 (prior to 5.2.13), and 4.2 (prior to 4.2.30) are vulnerable.
Use the command pip install django==[new_version] to update to the corrected version. For example: pip install django==6.0.4.
Limit the maximum size of multipart uploads and monitor server resource usage.
Currently, there are no specific tools to detect this vulnerability, but monitoring server resource usage can help identify potential attacks.
Seokchan Yoon reported this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.