CVE-2022-41323 Overview
A denial of service vulnerability exists in Django's internationalized URLs functionality where the locale parameter is processed as a regular expression without proper escaping. This allows attackers to craft malicious locale values that trigger catastrophic backtracking in the regex engine, leading to resource exhaustion and service unavailability.
Critical Impact
Remote attackers can cause complete denial of service on Django applications using internationalized URLs by submitting specially crafted locale parameters that exploit regex complexity vulnerabilities.
Affected Products
- Django 3.2 before 3.2.16
- Django 4.0 before 4.0.8
- Django 4.1 before 4.1.2
Discovery Timeline
- 2022-10-04 - Django Project releases security patch
- 2022-10-16 - CVE-2022-41323 published to NVD
- 2025-05-14 - Last updated in NVD database
Technical Details for CVE-2022-41323
Vulnerability Analysis
This vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity), commonly known as ReDoS (Regular Expression Denial of Service). The core issue lies in Django's URL resolver handling of internationalized URLs, where the language_prefix property value is passed directly to re.compile() without sanitization.
When Django processes internationalized URLs, it constructs a regular expression pattern using the locale parameter. An attacker can supply a specially crafted locale value containing regex metacharacters that cause exponential time complexity during pattern matching. This results in the regex engine entering a state of catastrophic backtracking, consuming excessive CPU resources and blocking the application from serving legitimate requests.
The vulnerability is remotely exploitable without authentication, requiring only network access to the affected Django application. The attack exclusively impacts availability—no data confidentiality or integrity compromise occurs.
Root Cause
The vulnerability stems from the LocalePrefixPattern class in django/urls/resolvers.py. The regex property method passes the language_prefix value directly to Python's re.compile() function without escaping regex special characters. This design flaw allows user-controllable input to be interpreted as a regular expression pattern rather than a literal string.
Attack Vector
An attacker can exploit this vulnerability by sending HTTP requests containing malicious locale parameters designed to trigger ReDoS. The attack does not require user interaction or authentication, making it straightforward to execute from any network location with access to the vulnerable application.
# Vulnerable code in django/urls/resolvers.py
@property
def regex(self):
# This is only used by reverse() and cached in _reverse_dict.
- return re.compile(self.language_prefix)
+ return re.compile(re.escape(self.language_prefix))
@property
def language_prefix:
Source: GitHub Django Commit Details
The fix applies re.escape() to the language_prefix value before passing it to re.compile(), ensuring all regex metacharacters are treated as literal characters.
Detection Methods for CVE-2022-41323
Indicators of Compromise
- Unusual CPU spikes correlated with incoming HTTP requests containing abnormal locale parameters
- Web server logs showing requests with exceptionally long or complex locale values in internationalized URL paths
- Application timeouts or unresponsive behavior during request processing
- Elevated memory consumption in Python/Django worker processes
Detection Strategies
- Monitor web application firewalls (WAF) for requests containing regex metacharacters in locale-related URL segments
- Implement request timeout thresholds to detect and terminate long-running regex operations
- Analyze server logs for patterns of requests targeting internationalized URL endpoints with unusual parameter values
- Deploy application performance monitoring (APM) to detect anomalous CPU utilization during URL resolution
Monitoring Recommendations
- Configure alerting for sustained high CPU usage in Django application workers
- Implement rate limiting on endpoints that process internationalized URLs
- Enable detailed request logging to capture locale parameter values for forensic analysis
- Monitor for patterns of repeated requests from single sources targeting i18n URL paths
How to Mitigate CVE-2022-41323
Immediate Actions Required
- Upgrade Django to version 3.2.16, 4.0.8, or 4.1.2 or later immediately
- Review application logs for evidence of exploitation attempts
- Implement request timeouts at the web server or reverse proxy level
- Consider temporarily disabling internationalized URLs if patching cannot be performed immediately
Patch Information
The Django Project released security patches on October 4, 2022, addressing this vulnerability across all supported release branches. The fix involves wrapping the language_prefix value with re.escape() before regex compilation.
Patched versions:
- Django 3.2.16 for the 3.2.x LTS branch
- Django 4.0.8 for the 4.0.x branch
- Django 4.1.2 for the 4.1.x branch
For detailed information, see the Django Weblog Security Releases and Django Security Releases Documentation.
Workarounds
- Deploy a web application firewall (WAF) with rules to sanitize or block requests containing regex metacharacters in locale parameters
- Implement request timeout limits at the reverse proxy or load balancer level to prevent long-running regex operations
- Restrict access to internationalized URL endpoints to trusted networks if public access is not required
- Use input validation middleware to limit locale parameter length and character set
# Configuration example - nginx timeout settings
location / {
proxy_pass http://django_app;
proxy_connect_timeout 10s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
