Broken Object Level Authorization

Broken Object Level Authorization & Django: CVE-2007-5712 [CVE-2007-5712]

[Updated Mar 2026] Updated CVE-2007-5712

Overview

CVE-2007-5712 describes a denial-of-service risk in Django's i18n framework when USE_I18N is enabled and the i18n components are active. An attacker could overwhelm a Django deployment by sending many HTTP requests with extremely large or numerous Accept-Language headers, causing the translation machinery to parse and load multiple catalogs and languages, leading to high memory consumption on worker processes. In real deployments such as PyLucid that rely on Django's internationalization features, this vulnerability could translate into degraded performance or service outages under load. The CVE highlights how the i18n handling in older Django versions could contribute to resource exhaustion under crafted input. This class of vulnerability manifests as an object-level or resource exhaustion risk at the HTTP request handling layer, triggered by crafted headers that force more work in language resolution and translation loading than the server can safely perform.

Affected Versions

0.91.x, 0.95, 0.95.1, 0.96

Code Fix Example

Django API Security Remediation 
Vulnerable pattern:

from django.utils.translation import get_language_from_request, activate
from django.http import HttpResponse

def my_view(request):
    # vulnerable: relies on locale from Accept-Language header without bounds
    lang = get_language_from_request(request)
    activate(lang)
    return HttpResponse("Hello")

Fixed pattern:

from django.utils.locale import LocaleMiddleware
from django.utils.translation import get_language_from_request, activate
from django.http import HttpResponse

class SafeLocaleMiddleware(LocaleMiddleware):
    def process_request(self, request):
        header = request.META.get('HTTP_ACCEPT_LANGUAGE', '')
        max_len = 1024  # cap to prevent DoS via very large headers
        if len(header) > max_len:
            header = header[:max_len]
        request.META['HTTP_ACCEPT_LANGUAGE'] = header
        super().process_request(request)

# In settings.py, replace the default middleware with the safe version
MIDDLEWARE = [
    'path.to.SafeLocaleMiddleware',
    # ... other middleware ...
]

from django.utils.translation import get_language_from_request, activate

def my_view(request):
    lang = get_language_from_request(request)
    activate(lang)
    return HttpResponse("Hello")

CVE References

More Django API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.