Description
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.
Problem types
CWE-770: Allocation of Resources Without Limits or Throttling
Product status
6.0 (semver) before 6.0.4
6.0.4 (semver)
5.2 (semver) before 5.2.13
5.2.13 (semver)
4.2 (semver) before 4.2.30
4.2.30 (semver)
Timeline
| 2026-02-24: | Initial report received. |
| 2026-03-17: | Vulnerability confirmed. |
| 2026-04-07: | Security release issued. |
Credits
Superior
Natalia Bidart
Jacob Walls
References
docs.djangoproject.com/en/dev/releases/security/ (Django security archive)
groups.google.com/g/django-announce (Django releases announcements)
www.djangoproject.com/weblog/2026/apr/07/security-releases/ (Django security releases issued: 6.0.4, 5.2.13, and 4.2.30)