CVE-2025-64460 Affecting python-django package, versions <3:5.2.4-1ubuntu2.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UBUNTU2510-PYTHONDJANGO-14167986
- published3 Dec 2025
- disclosed2 Dec 2025
Introduced: 2 Dec 2025
NewCVE-2025-64460 (opens in a new tab)How to fix?
Upgrade Ubuntu:25.10 python-django to version 3:5.2.4-1ubuntu2.2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-django package and not the python-django package as distributed by Ubuntu.
See How to fix? for Ubuntu:25.10 relevant fixed versions and status.
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in django.core.serializers.xml_serializer.getInnerText() allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML Deserializer.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.