Date: 2026-06-16 Target: Django 5.2.11, CVE-2025-14550 (ASGI dup-header DoS) Verdict: WALK CLEAN.
CVE-2025-14550 (ASGI duplicate-header super-linear string concat) is properly fixed in 5.2.11:
- headers collected into defaultdict(list) then ONE ",".join(value) per name (asgi.py:87-100) = O(n).
- body read into a SpooledTemporaryFile via body_file.write(chunk) (read_body) = O(n), no concat.
No residual super-linear path. Complete.
SAME class in one release. Django's Feb-2026 bundle fixed TWO string-concat DoS bugs:
- ASGI (CVE-2025-14550): converted concat -> defaultdict(list)+join. CORRECT (O(n)). Walk.
- Truncator (CVE-2026-1285, cycle248): kept self.output += attribute concat, added a cap constant it never
applies. INCOMPLETE (O(n^2) survives). Finding.
Right fix = accumulate into a list/file and join once. Wrong fix = keep the += and bolt on an (unenforced)
cap. When you find one concat-DoS fix in a release, check the OTHER concat sites with the correct-pattern
template in hand - divergence from list+join is the tell.
entry points incl extra()); ASGI 14550 COMPLETE; Truncator 1285 INCOMPLETE (cycle248); GIS-raster 1207 + mod_wsgi-timing 13473 not audited (1207 needs PostGIS to confirm; 13473 low/niche). Django = strong sweeper with one weak fix - exactly the per-fix variance this vein exploits.