CVE-2024-56374

Advisory

Affected versions of Django are vulnerable to a potential denial-of-service attack due to improper IPv6 validation. The lack of upper limit enforcement for input strings in clean_ipv6_address, is_valid_ipv6_address, and the django.forms.GenericIPAddressField form field allowed attackers to exploit overly long inputs, causing resource exhaustion. The vulnerability is addressed by defining a max_length of 39 characters for affected form fields. The django.db.models.GenericIPAddressField model field was not impacted. Users should upgrade promptly.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

===========================

*January 14, 2025*

Django 4.2.18 fixes a security issue with severity "moderate" in 4.2.17.

CVE-2024-56374: Potential denial-of-service vulnerability in IPv6 validation
============================================================================

Lack of upper bound limit enforcement in strings passed when performing IPv6
validation could lead to a potential denial-of-service attack. The undocumented
and private functions ``clean_ipv6_address`` and ``is_valid_ipv6_address`` were
vulnerable, as was the :class:`django.forms.GenericIPAddressField` form field,
which has now been updated to define a ``max_length`` of 39 characters.

The :class:`django.db.models.GenericIPAddressField` model field was not
affected.


===========================

Resources

• https://docs.djangoproject.com/en/5.1/releases/5.1.5/
• https://docs.djangoproject.com/en/5.1/releases/5.0.11/https://docs.djangoproject.com/en/5.1/releases/4.2.18/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56374