Django 6.0.5 Patches ASGI Memory Bypass Vulnerability CVE-2026-5766

A security vulnerability in Django's ASGI request handling could allow attackers to bypass file upload memory limits, potentially triggering service degradation through memory exhaustion. The flaw, tracked as CVE-2026-5766, affects Django 6.0 versions prior to 6.0.5 and Django 5.2 versions prior to 5.2.14. The vulnerability centers on how ASGI requests handle the Content-Length header—specifically, requests with missing or understated Content-Length values can circumvent the FILE_UPLOAD_MAX_MEMORY_SIZE configuration, causing large files to be loaded entirely into memory rather than being streamed to temporary storage.

The technical mechanism exploits a gap between Django's internal limits and web server-level constraints. When an ASGI request arrives without an accurate Content-Length header, Django's memory size enforcement can be bypassed, allowing unexpectedly large payloads to consume server memory. This creates a denial-of-service vector where an attacker could degrade or crash services by sending oversized uploads that exhaust available memory resources. Django maintainers have emphasized that production deployments should configure limits at the web server level rather than relying solely on application-layer controls.

Organizations running affected Django versions on ASGI deployments should treat this as a prompt upgrade priority, particularly for applications that handle file uploads or operate in resource-constrained environments. The patched releases—Django 6.0.5 and 5.2.14—close the bypass vector by enforcing stricter handling of malformed or missing Content-Length headers. Development teams should verify their ASGI configurations and confirm that web server-level limits remain in place as a defense-in-depth measure. The vulnerability underscores a broader security principle: application-level limits should complement, not replace, infrastructure-layer protections against resource exhaustion attacks.