CVE-2025-26699: 
Django vulnerability analysis and mitigation

A denial-of-service vulnerability (CVE-2025-26699) was discovered in Django affecting versions 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The vulnerability was identified in the django.utils.text.wrap() method and wordwrap template filter, which were found to be susceptible to potential denial-of-service attacks when processing very long strings. The issue was reported by security researcher sw0rd1ight and was disclosed on March 6, 2025 (Django Weblog).

The vulnerability exists in the text wrapping functionality of Django, specifically affecting the django.utils.text.wrap() method and the wordwrap template filter. The issue is classified with a CVSS v3.1 Base Score of 5.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L. The vulnerability is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability can lead to denial-of-service conditions in Django applications that use the affected text wrapping functions. The impact is primarily on the availability of the service, with no direct effect on confidentiality or integrity (Django Weblog).

The Django team has released patches for all affected versions: Django 5.1.7, Django 5.0.13, and Django 4.2.20. Users are strongly encouraged to upgrade to these patched versions immediately. The fixes have been applied to Django's main, 5.2, 5.1, 5.0, and 4.2 branches (Django Weblog).

The Django security team classified this vulnerability as having 'moderate' severity according to their security policy. The issue was handled according to Django's security release policy, with coordinated disclosure and patch releases (Django Weblog).