https://www.djangoproject.com/weblog/2025/mar/06/security-releases/
In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing releases for `Django 5.1.7 <https://docs.djangoproject.com/en/dev/releases/5.1.7/>`_, `Django 5.0.13 <https://docs.djangoproject.com/en/dev/releases/5.0.13/>`_ and `Django 4.2.20 <https://docs.djangoproject.com/en/dev/releases/4.2.20/>`_. These releases address the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2025-26699: Potential denial-of-service in ``django.utils.text.wrap()`` =========================================================================== The ``django.utils.text.wrap()`` and ``wordwrap`` template filter were subject to a potential denial-of-service attack when used with very long strings. Thanks to sw0rd1ight for the report. This issue has severity "moderate" according to the Django security policy. Affected supported versions =========================== * Django main * Django 5.2 (currently at pre-release beta status) * Django 5.1 * Django 5.0 * Django 4.2 Resolution ========== Patches to resolve the issue have been applied to Django's main, 5.2, 5.1, 5.0, and 4.2 branches. The patches may be obtained from the following changesets. CVE-2025-26699: Potential denial-of-service in ``django.utils.text.wrap()`` --------------------------------------------------------------------------- * On the `main branch < https://github.com/django/django/commit/55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b >`__ * On the `5.2 branch < https://github.com/django/django/commit/3cfa472644d4ce764d84fed739177b5765ea4b8a >`__ * On the `5.1 branch < https://github.com/django/django/commit/8dbb44d34271637099258391dfc79df33951b841 >`__ * On the `5.0 branch < https://github.com/django/django/commit/4f2765232336b8ad0afd8017d9d912ae93470017 >`__ * On the `4.2 branch < https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860 >`__ The following releases have been issued ======================================= * Django 5.1.7 (`download Django 5.1.7 <https://www.djangoproject.com/m/releases/5.1/Django-5.1.7.tar.gz>`_ | `5.1.7 checksums <https://www.djangoproject.com/m/pgp/Django-5.1.7.checksum.txt>`_) * Django 5.0.13 (`download Django 5.0.13 <https://www.djangoproject.com/m/releases/5.0/Django-5.0.13.tar.gz>`_ | `5.0.13 checksums <https://www.djangoproject.com/m/pgp/Django-5.0.13.checksum.txt>`_) * Django 4.2.20 (`download Django 4.2.20 <https://www.djangoproject.com/m/releases/4.2/Django-4.2.20.tar.gz>`_ | `4.2.20 checksums <https://www.djangoproject.com/m/pgp/Django-4.2.20.checksum.txt>`_) The PGP key ID used for this release is Sarah Boyce: `3955B19851EA96EF < https://github.com/sarahboyce.gpg>`_ General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``secur...@djangoproject.com``, and not via Django's Trac instance, nor via the Django Forum. Please see `our security policies < https://www.djangoproject.com/security/>`_ for further information.
