Security Misconfiguration

Security Misconfiguration - Django i18n DoS (CVE-2007-5712) [CVE-2007-5712]

[Fixed month year] Updated CVE-2007-5712

Overview

CVE-2007-5712 describes a Denial of Service vulnerability in Django's internationalization (i18n) framework when i18n is enabled (USE_I18N) and the i18n component is active. In affected versions (Django 0.91, 0.95, 0.95.1, 0.96 and as used in PyLucid), remote attackers could exploit this by sending many HTTP requests with large Accept-Language headers, causing excessive memory consumption on the server and potential service disruption. This is classified under CWE-399: Resource Exhaustion. The vulnerability manifests when the framework aggressively processes or activates translations based on per-request header values, which can scale poorly under load if the header is large or contains many languages. The patch for this CVE centers on limiting how Accept-Language data is parsed and used when i18n is enabled, and on safer defaults for translation activation. In practice, environments that rely on i18n for every request and that process entire header lists without bounds are at risk of DoS under high request rates. The guidance below demonstrates the risk pattern and how to remediate it in Django code.

Affected Versions

Django 0.91, 0.95, 0.95.1, 0.96 (and as used in PyLucid)

Code Fix Example

Django API Security Remediation 
# VULNERABLE PATTERN
from django.http import HttpResponse
from django.utils import translation

def vulnerable_view(request):
    # Danger: naively processing a potentially very large Accept-Language header
    accept_lang = request.META.get('HTTP_ACCEPT_LANGUAGE', '')
    languages = [part.strip() for part in accept_lang.split(',') if part.strip()]
    # Activating many languages per request can exhaust memory under load
    for lang in languages:
        translation.activate(lang)
    return HttpResponse("OK")

# FIX: rely on Django's LocaleMiddleware and avoid iterating over all languages
from django.http import HttpResponse
from django.utils import translation

def fixed_view(request):
    # Do not manually iterate all languages; use the single language chosen by LocaleMiddleware
    language = getattr(request, 'LANGUAGE_CODE', 'en')
    translation.activate(language)
    return HttpResponse("OK")

CVE References

More Django API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.