CVE-2025-27556: 
Django vulnerability analysis and mitigation

A denial-of-service vulnerability (CVE-2025-27556) was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14, affecting Windows systems. The vulnerability was disclosed on April 2, 2025, and impacts django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language components. The issue was discovered by security researcher sw0rd1ight (Django Security).

The vulnerability stems from Python's NFKC normalization being slow on Windows systems. This implementation weakness can be exploited through certain inputs containing a very large number of Unicode characters, potentially leading to a denial-of-service condition. The issue has been assigned a CVSS v3.1 base score of 5.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L (NVD Database).

When exploited, this vulnerability can cause a denial-of-service condition specifically on Windows systems running Django. The affected components (LoginView, LogoutView, and set_language) can become unresponsive when processing specially crafted inputs with large numbers of Unicode characters (OSS Security).

The Django team has released patches to address this vulnerability in versions 5.1.8 and 5.0.14. Users are strongly encouraged to upgrade to these versions. The fixes have been applied to Django's main branch, 5.2 (release candidate), 5.1, and 5.0 branches (Django Security).