The One Million Unicode Denial Of Service Attack

You are reading the Query Chronicles newsletter. A monthly publication that highlights the genius part in a vulnerability report, providing the straight-to-the-point trick to adopt.

This edition concerns a Denial Of Service attack due to a One Million Unicode characters payload. 

The vulnerability happens when user-controlled data can reach a costly Unicode normalization without limitation on the size of the incoming data (CWE-770: Allocation of Resources Without Limits or Throttling).

This happened in Django versions before 4.2.7 with a security issue tracked via CVE-2023-46695.

The NFKC (Unicode) normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField was subject to a potential denial of service attack via certain inputs with a very large number of Unicode characters.

This could get worse since compatibility normalizing a Unicode character such as “¾“(with forms such as NFKC or NFKD) would result in three-size characters “3 / 4”. Thus tripling the potential size of the incoming data).

The intended Django fix has simply introduced a limitation on the maximum size of the Username field.

Additional Resources

If you want to receive future publications, feel free to subscribe!