{"id":"CVE-2024-56374","details":"An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)","aliases":["BIT-django-2024-56374","GHSA-qcgg-j2x8-h9g8","PYSEC-2025-1"],"modified":"2026-05-18T05:56:11.344090347Z","published":"2025-01-14T00:00:00Z","related":["CGA-58g6-fh6x-cw6q","SUSE-SU-2025:0149-1","openSUSE-SU-2025:14651-1","openSUSE-SU-2025:14662-1","openSUSE-SU-2026:10005-1"],"database_specific":{"cwe_ids":["CWE-770"],"cna_assigner":"mitre","unresolved_ranges":[{"extracted_events":[{"introduced":"4.2"},{"fixed":"4.2.18"},{"introduced":"5.0"},{"fixed":"5.0.11"},{"introduced":"5.1"},{"fixed":"5.1.5"}],"source":"AFFECTED_FIELD"},{"extracted_events":[{"introduced":"4.2"},{"fixed":"4.2.18"},{"introduced":"5.0"},{"fixed":"5.0.11"},{"introduced":"5.1"},{"fixed":"5.1.5"}],"source":"CPE_FIELD"},{"extracted_events":[{"introduced":"5.1"},{"fixed":"5.1.5"},{"introduced":"5.0"},{"fixed":"5.0.11"},{"introduced":"4.2"},{"fixed":"4.2.18"}],"source":"DESCRIPTION"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56374.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/01/14/2"},{"type":"WEB","url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"type":"WEB","url":"https://groups.google.com/g/django-announce"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00024.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56374.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56374"},{"type":"ARTICLE","url":"https://www.djangoproject.com/weblog/2025/jan/14/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"97aa3b7f08f51669e118f3af5ca91026e39664c3"},{"fixed":"a7b0e50eadba8f0420013605c70eb790280b0fd2"},{"introduced":"52821001bb62b764d73e63812133f199b8fef9eb"},{"fixed":"67bb624b2d3099aee4d8d8bca8a004111bfabfaa"},{"introduced":"84d09a547fe35e10018ab242602ca76c29ca91a1"},{"fixed":"3d3d7f5052edb99bafaa5a2f1a7dd5b968643727"}],"database_specific":{"extracted_events":[{"introduced":"4.2"},{"fixed":"4.2.18"},{"introduced":"5.0"},{"fixed":"5.0.11"},{"introduced":"5.1"},{"fixed":"5.1.5"}],"cpe":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56374.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"}]}