Django Injection DoS via i18n (CVE-2007-5712) [Mar 2024] [CVE-2007-5712]

The CVE-2007-5712 issue describes an injection-like DoS vulnerability in Django's internationalization (i18n) framework when USE_I18N is enabled and the i18n components are active. In affected versions (Django 0.91, 0.95, 0.95.1, and 0.96) and in projects that integrated Django i18n such as PyLucid, sending a flood of HTTP requests with excessively large Accept-Language headers could cause significant memory growth on the server, leading to denial of service. The vulnerability arises from how translation catalogs and language negotiation were processed per request, potentially exhausting server memory under load. This is a classic DoS pattern tied to resource exhaustion rather than arbitrary code execution. The CVE-2007-5712 entry (CWE-399) identifies this memory consumption risk and provides patch guidance. The remediation is to upgrade to patched Django versions or apply targeted hardening to the i18n path, and to restrict or mitigate header-based inputs that trigger heavy i18n processing. In real-world deployments, attackers could generate many requests with long Accept-Language headers hitting LocaleMiddleware and translation loading routines, exhausting memory across concurrent requests. The fix involves either upgrading to a patched release where i18n processing is hardened, disabling i18n if it is not needed, or adding defensive measures such as input-length caps before language negotiation. After applying the patch, test under load to ensure memory usage remains bounded and that requests are handled gracefully. This guidance references CVE-2007-5712 to anchor the remediation to the exact historical vulnerability and its documented mitigation path, including any PyLucid or similar projects affected by the same i18n code path.