CVE-2026-33033 Overview
A denial of service vulnerability was discovered in Django's MultiPartParser component. The vulnerability allows remote attackers to degrade server performance by submitting multipart uploads with Content-Transfer-Encoding: base64 containing excessive whitespace. This algorithmic complexity attack can cause significant resource exhaustion on affected Django applications.
Critical Impact
Remote attackers can degrade Django application performance through crafted multipart uploads, potentially causing service disruption without requiring elevated privileges.
Affected Products
- Django 6.0 before 6.0.4
- Django 5.2 before 5.2.13
- Django 4.2 before 4.2.30
- Earlier unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected
Discovery Timeline
- 2026-04-07 - Vulnerability reported by Seokchan Yoon
- 2026-04-07 - Django releases security patches
- 2026-04-07 - CVE CVE-2026-33033 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-33033
Vulnerability Analysis
This vulnerability (CWE-407: Inefficient Algorithmic Complexity) exists in Django's MultiPartParser class, which is responsible for parsing multipart form data including file uploads. The flaw stems from how the parser handles base64-encoded content with excessive whitespace characters.
When processing multipart uploads that specify Content-Transfer-Encoding: base64, the parser must decode the base64 content. An attacker can exploit this by including large amounts of whitespace characters within the base64-encoded payload. The inefficient handling of these whitespace characters during the decoding process causes the parser to consume excessive CPU and memory resources, leading to performance degradation.
Root Cause
The root cause is an inefficient algorithmic implementation in the MultiPartParser when handling base64-encoded multipart data. The parser does not adequately limit or efficiently process whitespace characters embedded within base64-encoded content, allowing attackers to craft payloads that trigger worst-case algorithmic complexity during parsing operations.
Attack Vector
The attack can be executed remotely over the network by any authenticated user. An attacker sends specially crafted HTTP multipart form requests to any Django endpoint that processes file uploads or multipart data. The malicious request includes:
- A Content-Transfer-Encoding: base64 header in the multipart section
- Base64-encoded content with excessive whitespace characters injected throughout
The vulnerability can be exploited against any Django view that accepts multipart form data, including file upload endpoints, form submissions, and API endpoints using multipart content types.
When a malicious request is received, the MultiPartParser attempts to decode the base64 content. The excessive whitespace causes the parsing algorithm to perform inefficiently, consuming disproportionate server resources relative to the request size. Repeated requests can exhaust server resources and cause denial of service conditions.
Detection Methods for CVE-2026-33033
Indicators of Compromise
- Unusual increase in multipart POST requests to file upload endpoints
- Server performance degradation correlated with incoming HTTP requests
- High CPU utilization in Django worker processes handling form parsing
- Memory consumption spikes in Python/Django application processes
Detection Strategies
- Monitor web application logs for abnormally large multipart requests with base64 encoding
- Implement request size and parsing time thresholds to identify anomalous upload behavior
- Deploy web application firewall (WAF) rules to detect and block requests with excessive whitespace in base64 content
- Configure application performance monitoring (APM) to alert on elevated request processing times for multipart endpoints
Monitoring Recommendations
- Enable detailed logging for Django's file upload handling components
- Set up alerts for sustained high CPU usage in Django application servers
- Monitor request queue depths and response times for endpoints accepting multipart data
- Track the ratio of request size to processing time to identify algorithmic complexity attacks
How to Mitigate CVE-2026-33033
Immediate Actions Required
- Upgrade Django to patched versions: 6.0.4, 5.2.13, or 4.2.30 immediately
- If using unsupported Django versions (5.0.x, 4.1.x, 3.2.x), plan migration to a supported version
- Implement rate limiting on endpoints that accept multipart form data
- Consider temporarily disabling base64 content-transfer-encoding support if not required by your application
Patch Information
Django has released security patches addressing this vulnerability. Organizations should upgrade to the following versions:
| Current Version | Upgrade To |
|---|---|
| 6.0.x | 6.0.4 or later |
| 5.2.x | 5.2.13 or later |
| 4.2.x | 4.2.30 or later |
For detailed patch information, refer to the Django Security Releases Documentation and the Django Weblog Security Releases.
Workarounds
- Deploy a reverse proxy or WAF that filters requests with Content-Transfer-Encoding: base64 and excessive whitespace
- Implement request timeouts at the web server level (nginx, Apache) to limit parsing time for individual requests
- Add application-level validation to reject multipart requests exceeding reasonable size or complexity thresholds
- Consider implementing custom middleware to sanitize or reject suspicious multipart content before it reaches Django's parser
# Example nginx configuration to limit request body size and timeout
# Add to server or location block handling Django uploads
client_max_body_size 10m;
client_body_timeout 30s;
proxy_read_timeout 60s;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
