CVE-2024-56374

Description

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)

How to fix CVE-2024-56374

To remediate CVE-2024-56374, upgrade the affected package to a fixed version below.

• —upgrade to 5.1.5 or later
• —upgrade to 2:2.2.28-1~deb11u5 or later
• —upgrade to 2:2.2.28-1~deb11u5 or later
• —upgrade to 5.1.5 or later
• —upgrade to 5.1.5 or later

Is CVE-2024-56374 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• >= 4.2.0, < 5.1.5
• from 0, < 2:2.2.28-1~deb11u5
• from 0, < 2:2.2.28-1~deb11u5
• >= 5.1, < 5.1.5
• >= 5.1, < 5.1.5, >= 5.0, < 5.0.11, >= 4.2, < 4.2.18

CVSS scores

References (16)

• ADVISORYgithub.com/advisories/GHSA-qcgg-j2x8-h9g8
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-56374
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-56374
• ADVISORYwww.djangoproject.com/weblog/2025/jan/14/security-releases/
• PATCH