CVE-2026-33034 PUBLISHED

Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass

Assigner: DSF
Reserved: 17.03.2026 Published: 07.04.2026 Updated: 07.04.2026

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue.

Product Status

Vendor djangoproject
Product Django
Versions Default: unaffected
  • affected from 6.0 to 6.0.4 (excl.)
  • Version 6.0.4 is unaffected
  • affected from 5.2 to 5.2.13 (excl.)
  • Version 5.2.13 is unaffected
  • affected from 4.2 to 4.2.30 (excl.)
  • Version 4.2.30 is unaffected

Credits

  • Superior reporter
  • Natalia Bidart remediation developer
  • Jacob Walls coordinator

References

Problem Types

  • CWE-770: Allocation of Resources Without Limits or Throttling CWE

Impacts

  • CAPEC-130: Excessive Allocation