HTTP header injection via DomainNameValidator accepting newlines
Summary
An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. `DomainNameValidator` does not prohibit newlines in domain names (unless used via a form field, since `CharField` strips newlines). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because `HttpResponse` prohibits newlines in HTTP headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Bence Nagy for reporting this issue. A flaw was found in Django. django.core.validators.DomainNameValidator accepted newline characters in domain name input. When applications use this validator outside Django form fields and include the validated value in HTTP response headers, a remote attacker could perform HTTP header injection. Django core is not affected because HttpResponse rejects newlines in headers, and CharField strips newlines by default. This flaw has a Low impact on Red Hat products. A vulnerability in Django's `DomainNameValidator` allows newline characters, which could enable HTTP header injection if validated values are directly used in HTTP response headers outside of Django's standard form handling.
- < 6.0
- < 6.0.7
- < 5.2
- < 5.2.16
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- To mitigate this issue, ensure that custom Django applications do not directly place values validated by `DomainNameValidator` into HTTP response headers without further sanitization. Applications should rely on Django's default form handling and `HttpResponse` functionality, which automatically prevent newline injection. If direct header manipulation is unavoidable, implement explicit input sanitization to remove newline characters before constructing HTTP response headers.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.