| Package | python-django |
|---|---|
| Version | 1:1.10.7-2+deb9u28 (stretch), 1:1.11.29-1+deb10u17 (buster) |
| Related CVEs | CVE-2025-64460 |
A potential denial-of-service vulnerability was discovered in Django, a popular Python-based web development framework.
An algorithmic complexity issue in the getInnerText() method in the django.core.serializers.xml_serializer class could have allowed a remote attacker to cause a potential denial-of-service, triggering CPU and memory exhaustion via a specially crafted XML input submitted to a service that invokes the XML Deserializer. The vulnerability resulted from repeated string concatenation while recursively collecting text nodes which produced superlinear-style computation.
For Debian 10 buster, these problems have been fixed in version 1:1.11.29-1+deb10u17.
For Debian 9 stretch, these problems have been fixed in version 1:1.10.7-2+deb9u28.
We recommend that you upgrade your python-django packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.