CVE-2024-56374

CVE-2024-56374 is a denial-of-service vulnerability in Django web framework versions 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. It stems from a lack of upper-bound limit enforcement on strings passed during IPv6 validation, which can lead to excessive resource consumption. The affected components include the undocumented private functions clean_ipv6_address and is_valid_ipv6_address, as well as the django.forms.GenericIPAddressField form field; the django.db.models.GenericIPAddressField model field is explicitly not vulnerable. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting specially crafted IPv6 address strings to vulnerable validation functions or form fields, attackers can trigger resource exhaustion, resulting in a denial-of-service condition on the affected Django application. The changed scope (S:C) indicates potential impact beyond the vulnerable component itself.

Django security advisories recommend upgrading to patched versions—5.1.5, 5.0.11, or 4.2.18—to mitigate the issue, as detailed in the official release notes and announcements. Additional notifications appear in Django's announce group, security weblog, oss-security mailing list, and Debian LTS updates.