Django Security Patch CVE-2026-33034: ASGI Request Flaw Bypasses Memory Limit

A critical security vulnerability in Django's ASGI request handler allows attackers to bypass memory limits and potentially crash servers. The flaw, tracked as CVE-2026-33034, is present in multiple supported versions of the popular Python web framework, including Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. It enables a remote attacker to send specially crafted requests that evade the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit, loading an unbounded request body directly into server memory.

The vulnerability specifically targets the ASGI interface, Django's standard for asynchronous web servers. By sending a request with a missing or understated `Content-Length` header when reading `HttpRequest.body`, an attacker can circumvent the configured memory size restriction. This bypass could lead to uncontrolled memory consumption, resulting in denial-of-service conditions or server instability for affected applications.

The Django project has released patched versions to address this security issue. Administrators are urged to immediately upgrade to Django 6.0.4, 5.2.13, or 4.2.30, depending on their series. The update is flagged as a security priority in automated dependency management tools like Renovate. This incident underscores the persistent security pressure on foundational web frameworks and the critical need for timely patching in production environments to mitigate remote exploitation risks.