SSRF Django Remediation Guide [Mar 2026] [CVE-2007-0404]

Historical impact: CVE-2007-0404 describes a vulnerability in Django 0.95 where bin/compile-messages.py invoked the msgfmt tool via os.system without quoting the arguments. This allowed an attacker to craft a .po or .mo file containing shell metacharacters that the shell would interpret, enabling arbitrary command execution on the server during translation compilation. Exploitation relied on untrusted input being passed into a shell command, illustrating how unsafe shell invocation can lead to remote-like control of the host when translation tooling is processed in Django. Exploitation details: An attacker could place specially crafted strings or a malicious file path in a translation catalog or its input location that, when passed into the vulnerable command, caused the shell to execute injected commands. This could lead to data leakage, modification, or execution of arbitrary commands on the Django process, depending on the environment and permissions. Fix in real Django code: The secure fix is to stop constructing a single string shell command from untrusted input. Replace os.system with subprocess.run using a list of arguments, or adopt a higher-level API that avoids the shell entirely. For Django, upgrade to patched versions; if maintaining translation tooling yourself, ensure compilemessages passes arguments as a sequence rather than a string and avoid embedding user-controlled data into shell commands. Remediation guidance for SSRF-like risks in Django: This vulnerability underscores why never passing untrusted input to a shell is critical. Apply the same principle to any external tooling invoked by Django (for example, translation tooling, network calls, etc.). Validate and sanitize translation files, run with least privilege, add unit tests that simulate malicious inputs, and upgrade to supported Django releases with the fix.