← back to lessons

Cycle249 - Same DoS class, fixed RIGHT (ASGI) vs WRONG (Truncator) in the SAME release

Date: 2026-06-16 Target: Django 5.2.11, CVE-2025-14550 (ASGI dup-header DoS) Verdict: WALK CLEAN.

The walk

CVE-2025-14550 (ASGI duplicate-header super-linear string concat) is properly fixed in 5.2.11: - headers collected into defaultdict(list) then ONE ",".join(value) per name (asgi.py:87-100) = O(n). - body read into a SpooledTemporaryFile via body_file.write(chunk) (read_body) = O(n), no concat. No residual super-linear path. Complete.

Lesson: completeness is per-FIX, and you can SEE the maintainer's competence by comparing two fixes of the

SAME class in one release. Django's Feb-2026 bundle fixed TWO string-concat DoS bugs: - ASGI (CVE-2025-14550): converted concat -> defaultdict(list)+join. CORRECT (O(n)). Walk. - Truncator (CVE-2026-1285, cycle248): kept self.output += attribute concat, added a cap constant it never applies. INCOMPLETE (O(n^2) survives). Finding. Right fix = accumulate into a list/file and join once. Wrong fix = keep the += and bolt on an (unenforced) cap. When you find one concat-DoS fix in a release, check the OTHER concat sites with the correct-pattern template in hand - divergence from list+join is the tell.

Django bundle final scorecard (4 of 6 audited): alias-SQLi 1287/1312 COMPLETE (check_alias swept all

entry points incl extra()); ASGI 14550 COMPLETE; Truncator 1285 INCOMPLETE (cycle248); GIS-raster 1207 + mod_wsgi-timing 13473 not audited (1207 needs PostGIS to confirm; 13473 low/niche). Django = strong sweeper with one weak fix - exactly the per-fix variance this vein exploits.

Generated 2026-07-02 13:15:03 UTC | auto-sync /15min