{
  "threat_severity" : "Moderate",
  "public_date" : "2025-03-06T14:00:00Z",
  "bugzilla" : {
    "description" : "django: Potential denial-of-service vulnerability in django.utils.text.wrap()",
    "id" : "2348993",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348993"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.", "A potential denial of service vulnerability exists in django.utils.text.wrap() and the wordwrap template filter. When processing extremely long strings, these functions may cause excessive resource consumption, potentially leading to service disruption." ],
  "statement" : "This vulnerability is rated as a Moderate severity because it exposes the wrap() method and wordwrap template filter to a potential denial of service attack. Malicious input containing extremely long strings could cause excessive processing, leading to resource exhaustion. However, it does not affect data confidentiality or integrity.",
  "affected_release" : [ {
    "product_name" : "Discovery 1 for RHEL 9",
    "release_date" : "2025-04-08T00:00:00Z",
    "advisory" : "RHSA-2025:3709",
    "cpe" : "cpe:/o:redhat:discovery:1.0::el9",
    "package" : "discovery/discovery-server-rhel9:1.13.1-1"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "release_date" : "2025-06-05T00:00:00Z",
    "advisory" : "RHSA-2025:8609",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
    "package" : "python3x-django-0:4.2.21-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "release_date" : "2025-06-05T00:00:00Z",
    "advisory" : "RHSA-2025:8609",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
    "package" : "python-django-0:4.2.21-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2025-03-25T00:00:00Z",
    "advisory" : "RHSA-2025:3160",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "python3.11-django-0:4.2.20-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2025-03-25T00:00:00Z",
    "advisory" : "RHSA-2025:3162",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "ansible-automation-platform-25/lightspeed-rhel8:2.5.250318-2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2025-05-06T00:00:00Z",
    "advisory" : "RHSA-2025:4553",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "automation-controller-0:4.6.12-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "release_date" : "2025-03-25T00:00:00Z",
    "advisory" : "RHSA-2025:3160",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
    "package" : "python3.11-django-0:4.2.20-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "release_date" : "2025-05-06T00:00:00Z",
    "advisory" : "RHSA-2025:4553",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
    "package" : "automation-controller-0:4.6.12-1.el9ap"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 1.2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-tower",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-25/ee-dellemc-openmanage-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-25/lightspeed-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-25/platform-resource-runner-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-26699\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-26699\nhttps://github.com/advisories/GHSA-p3fp-8748-vqfq\nhttps://www.djangoproject.com/security/" ],
  "name" : "CVE-2025-26699",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}