CVE-2024-56374: 
Django vulnerability analysis and mitigation

A vulnerability was discovered in Django versions 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. The issue involves a lack of upper-bound limit enforcement in strings passed when performing IPv6 validation, which could lead to a potential denial-of-service attack. The vulnerability was disclosed on January 14, 2025, and was assigned CVE-2024-56374 (Django Weblog, NVD).

The vulnerability affects the undocumented and private functions clean_ipv6_address and is_valid_ipv6_address, as well as the django.forms.GenericIPAddressField form field. The issue has been addressed by updating the GenericIPAddressField form field to define a max_length of 39 characters. Notably, the django.db.models.GenericIPAddressField model field was not affected by this vulnerability. The issue has been classified with a CVSS v3.1 Base Score of 5.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L (NVD, OSS Security).

The vulnerability could lead to a potential denial-of-service attack through the exploitation of unbounded string processing in IPv6 validation functions. This could affect applications using the vulnerable form field or directly utilizing the affected private functions (Django Weblog).

The Django team has released patches for all affected versions: Django 5.1.5, Django 5.0.11, and Django 4.2.18. Users are strongly encouraged to upgrade to these patched versions as soon as possible. The fixes have been applied to Django's main, 5.1, 5.0, and 4.2 branches (Django Weblog).