[Django] #36743: 2048 is too conservative a max length for redirect targets
4 views
Skip to first unread message
Django
Nov 18, 2025, 6:00:43 PM11/18/25
to django-...@googlegroups.com
#36743: 2048 is too conservative a max length for redirect targets
-----------------------------+-------------------------------------------
Reporter: Jacob Walls | Type: Bug
Status: new | Component: HTTP handling
Version: 4.2 | Severity: Release blocker
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-------------------------------------------
Since 4.2.3 (2023), Django has been enforcing a limit of 2048 characters
in the URL and email validators to prevent a REDoS vector
(CVE-2023-36053).
In 5.1.8 and 5.0.14 (April 2025), Django applied this limit in more places
to prevent a DoS vector on Windows (CVE-2025-27556):
- `LoginView`
- `LogoutView`
- `set_language()`
In 5.2.8, 5.1.4, and 4.2.26 (November 2025) this same limit was applied in
an additional case (to prevent an almost identical DoS vector,
CVE-2025-64458):
- `HttpResponseRedirect`
- `HttpResponsePermanentRedirect`
- `redirect()`
We've seen multiple reports that 2048 characters is too strict for
redirects involving third-party services like S3:
-
[https://github.com/goauthentik/authentik/commit/6a13b38740f92d8003e51fe2225513d1369e3e44
authentik]
- [https://forum.djangoproject.com/t/application-issues-caused-by-the-fix-
for-cve-2025-27556-in-django-4-2-26/43502 forum [1]]
- [https://forum.djangoproject.com/t/cve-2025-64458-new-max-url-length-
const-leads-to-issues/43507 forum [2]]
The fact that we're catching 4.2 LTS users for the first time is relevant.
----
nginx allows about 8k characters
[https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
source]
apache allows about half that [https://www.measuringknowhow.com
/understanding-the-max-length-of-a-query-string-explained/ source]
To my knowledge, 2048 was chosen simply because of the precedent in 4.2.3
for the URLValidator case (thereby reusing a single constant).
I'm not proposing to do anything about the URLValidator case. But for the
Windows vulnerabilities, having to do with `LoginView` and `redirect`, we
could have relaxed the limit to around nginx's 8K limit and still
mitigated them.
That's essentially what authentik did when monkey-patching this constant.
Users shouldn't have to do that (it degrades the validation for URLField).
----
I'm proposing we relax 2048 to 8192 (around the nginx limit) for the two
vulnerabilities we patched in 2025 (in `LoginView`, `redirect()` and
friends), i.e. have a second constant for those. I'm not proposing to
expose this as a setting. I'm proposing we ship it with our next regularly
scheduled patch release.
--
Ticket URL: <https://code.djangoproject.com/ticket/36743>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-----------------------------+-------------------------------------------
Reporter: Jacob Walls | Type: Bug
Status: new | Component: HTTP handling
Version: 4.2 | Severity: Release blocker
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+-------------------------------------------
Since 4.2.3 (2023), Django has been enforcing a limit of 2048 characters
in the URL and email validators to prevent a REDoS vector
(CVE-2023-36053).
In 5.1.8 and 5.0.14 (April 2025), Django applied this limit in more places
to prevent a DoS vector on Windows (CVE-2025-27556):
- `LoginView`
- `LogoutView`
- `set_language()`
In 5.2.8, 5.1.4, and 4.2.26 (November 2025) this same limit was applied in
an additional case (to prevent an almost identical DoS vector,
CVE-2025-64458):
- `HttpResponseRedirect`
- `HttpResponsePermanentRedirect`
- `redirect()`
We've seen multiple reports that 2048 characters is too strict for
redirects involving third-party services like S3:
-
[https://github.com/goauthentik/authentik/commit/6a13b38740f92d8003e51fe2225513d1369e3e44
authentik]
- [https://forum.djangoproject.com/t/application-issues-caused-by-the-fix-
for-cve-2025-27556-in-django-4-2-26/43502 forum [1]]
- [https://forum.djangoproject.com/t/cve-2025-64458-new-max-url-length-
const-leads-to-issues/43507 forum [2]]
The fact that we're catching 4.2 LTS users for the first time is relevant.
----
nginx allows about 8k characters
[https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers
source]
apache allows about half that [https://www.measuringknowhow.com
/understanding-the-max-length-of-a-query-string-explained/ source]
To my knowledge, 2048 was chosen simply because of the precedent in 4.2.3
for the URLValidator case (thereby reusing a single constant).
I'm not proposing to do anything about the URLValidator case. But for the
Windows vulnerabilities, having to do with `LoginView` and `redirect`, we
could have relaxed the limit to around nginx's 8K limit and still
mitigated them.
That's essentially what authentik did when monkey-patching this constant.
Users shouldn't have to do that (it degrades the validation for URLField).
----
I'm proposing we relax 2048 to 8192 (around the nginx limit) for the two
vulnerabilities we patched in 2025 (in `LoginView`, `redirect()` and
friends), i.e. have a second constant for those. I'm not proposing to
expose this as a setting. I'm proposing we ship it with our next regularly
scheduled patch release.
--
Ticket URL: <https://code.djangoproject.com/ticket/36743>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages