Django Releases Security Updates: 5.1.7, 5.0.13, and 4.2.20
TL;DR
The Django team has announced security updates for versions 5.1.7, 5.0.13, and 4.2.20. Users are urged to update as soon as possible to address identified security issues.
The Django team announced security updates for versions 5.1.7, 5.0.13, and 4.2.20. The updates aim to resolve identified security issues. Users are recommended to update their versions as soon as possible.
Vulnerability Details
The CVE-2025-26699 vulnerability involves risks of **denial of service (DoS)** in the django.utils.text.wrap() function. The function and the template filter wordwrap could be exploited through the use of extremely long strings.
The severity of this vulnerability is classified as "moderate" by Django's security policy. Thanks were given to sw0rd1ight for reporting the issue.
Affected Versions
- Core Django
- Django 5.2 (in pre-release beta version)
- Django 5.1
- Django 5.0
- Django 4.2
Fixes
Fixes for the vulnerability have been implemented in the master branch of Django and in versions 5.2, 5.1, 5.0, and 4.2. The patches are available in the following commits:
Released Versions
- Django 5.1.7 (download | checksums)
- Django 5.0.13 (download | checksums)
- Django 4.2.20 (download | checksums)
The PGP key ID used for this release is Sarah Boyce: 3955B19851EA96EF.
General Notes on Security Reporting
Any security issues should be reported privately via email to security@djangoproject.com and not through Django's Trac or Forum. For more information, please refer to our security policies.
Content selected and edited with AI assistance. Original sources referenced above.
