In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

Affected Packages

PyPI Django

Affected versions: 3.2a1 (fixed in 3.2.20)

PyPI Django

Affected versions: 4.0a1 (fixed in 4.1.10)

PyPI Django

Affected versions: 4.2a1 (fixed in 4.2.3)

Related CVEs

CVE-2023-36053

Key Information

GHSA ID

GHSA-jh3w-4vvf-mjgr

Published

July 3, 2023 3:30 PM

Last Modified

September 20, 2024 4:00 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

Django

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 9, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.