The One Million Unicode Denial Of Service Attack

You are reading the Query Chronicles newsletter. A monthly publication that highlights the genius part in a vulnerability report, providing the straight-to-the-point trick to adopt.

This edition concerns a Denial Of Service attack due to a One Million Unicode characters payload. 

The vulnerability happens when user-controlled data can reach a costly Unicode normalization without limitation on the size of the incoming data (CWE-770: Allocation of Resources Without Limits or Throttling).

This happened in Django versions before 4.2.7 with a security issue tracked via CVE-2023-46695.

This could get worse since compatibility normalizing a Unicode character such as “¾“(with forms such as NFKC or NFKD) would result in three-size characters “3 / 4”. Thus tripling the potential size of the incoming data).

The intended Django fix has simply introduced a limitation on the maximum size of the Username field.

Additional Resources

• https://hackerone.com/reports/2258758

• https://nvd.nist.gov/vuln/detail/CVE-2023-46695

• https://github.com/django/django/commit/05ba4130ee878c4f520b5d34bb11eaad794623be