Broken Authentication in Django naturally [Mar 2026] [CVE-2007-5712]

The CVE-2007-5712 advisory describes a Denial of Service risk tied to Django's internationalization (i18n) framework when USE_I18N is enabled and the i18n component is active. Django versions 0.91, 0.95, 0.95.1, and 0.96 were affected, including deployments such as PyLucid that used Django’s i18n features. An attacker could send a flood of HTTP requests with oversized Accept-Language headers, triggering excessive memory allocation during per-request language negotiation and potentially exhausting server resources. The patch for this vulnerability reduces the memory footprint of Accept-Language processing and strengthens language negotiation handling to prevent abuse. In practice, the vulnerability manifested when per-request language selection ran directly on Accept-Language headers without safeguards. With large, repeated header values, Django’s i18n machinery could allocate substantial in-memory structures for translation lookups, leading to memory exhaustion under load. Exploitation did not require authentication or special privileges, simply flooding the application with crafted headers, which could degrade service or crash worker processes. The recommended fix in real Django code is to upgrade to a patched release where i18n header handling is hardened and to avoid unsafe, ad-hoc language activation from client headers. Prefer Django’s safe language negotiation utilities (for example, get_language_from_request) or ensure Accept-Language processing is bounded and constrained by configured LANGUAGES and middleware. If you must parse headers manually, apply header-length limits and cap the number of languages parsed. For long-term resilience, ensure i18n is used only where translations are necessary and consider disabling or conditionally enabling i18n in high-traffic paths. As with any legacy CVE, verify all dependencies and downstream integrations (e.g., PyLucid) are updated to include the patch, and add tests that protect against header-based DoS by validating memory usage and correct language negotiation behavior under varied Accept-Language inputs.