Miggo Logo
Miggo Vulnerability Database
CVE-2015-5145

CVE-2015-5145: Django ReDoS in validators.URLValidator

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2015-5145
GHSA ID
GHSA-cqf7-ff9h-7967
EPSS Score
0.82571%
CWE
CWE-400
Published
5/17/2022
Updated
9/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Djangopip>= 1.8a1, < 1.8.31.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit shows a critical modification to the 'domain_re' regex in URLValidator's host pattern matching. The vulnerability stems from the regex's structure allowing excessive backtracking (CWE-1333). The patch replaces the vulnerable pattern with one that uses negative lookaheads/lookbehinds ((?!-) and (?<!-)) to prevent backtracking attacks. The advisory explicitly states this was a security fix for URLValidator's regex inefficiency, and the CWE-1333 mapping confirms the regex complexity issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`v*li**tors.URLV*li**tor` in *j*n*o *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (*PU *onsumption) vi* unsp**i*i** v**tors.

Reasoning

T** *it*u* *ommit s*ows * *riti**l mo*i*i**tion to t** '*om*in_r*' r***x in `URLV*li**tor`'s *ost p*tt*rn m*t**in*. T** vuln*r**ility st*ms *rom t** r***x's stru*tur* *llowin* *x**ssiv* ***ktr**kin* (*W*-****). T** p*t** r*pl***s t** vuln*r**l* p*tt*