#36743 closed Bug (fixed)
Max URL length of 2048 is too conservative for redirect targets
| Reported by: | Jacob Walls | Owned by: | Varun Kasyap Pentamaraju |
|---|---|---|---|
| Component: | HTTP handling | Version: | 4.2 |
| Severity: | Release blocker | Keywords: | |
| Cc: | Mariusz Felisiak | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Since 4.2.3 (2023), Django has been enforcing a limit of 2048 characters in the URL and email validators to prevent a REDoS vector (CVE-2023-36053).
In 5.1.8 and 5.0.14 (April 2025), Django applied this limit in more places to prevent a DoS vector on Windows (CVE-2025-27556):
LoginViewLogoutViewset_language()
In 5.2.8, 5.1.4, and 4.2.26 (November 2025) this same limit was applied in an additional case (to prevent an almost identical DoS vector, CVE-2025-64458):
HttpResponseRedirectHttpResponsePermanentRedirectredirect()
We've seen multiple reports that 2048 characters is too strict for redirects involving third-party services like S3:
The fact that we're catching 4.2 LTS users for the first time is relevant.
nginx allows about 8k characters source
apache allows about half that source
To my knowledge, 2048 was chosen simply because of the precedent in 4.2.3 for the URLValidator case (thereby reusing a single constant).
I'm not proposing to do anything about the URLValidator case. But for the Windows vulnerabilities, having to do with LoginView and redirect, we could have relaxed the limit to around nginx's 8K limit and still mitigated them.
That's essentially what authentik did when monkey-patching this constant. Users shouldn't have to do that (it degrades the validation for URLField).
I'm proposing we relax 2048 to 8192 (around the nginx limit) for the two vulnerabilities we patched in 2025 (in LoginView, redirect() and friends), i.e. have a second constant for those. I'm not proposing to expose this as a setting. I'm proposing we ship it with our next regularly scheduled patch release.
Change History (21)
comment:1 by , 3 weeks ago
| Summary: | 2048 is too conservative a max length for redirect targets → Max URL length of 2048 is too conservative for redirect targets |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:2 by , 3 weeks ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 weeks ago
| Cc: | added |
|---|
I'm not sure why we want to consider this as a release blocker, we've discussed and agreed on this limit within the security team. Moreover, users can adjust the current limit themselves. As far as I'm aware, this is not a bug but a cleanup, even then, I'm not convinced that we should change it (even in the current main branch).
comment:4 by , 3 weeks ago
Thanks Mariusz. My position is that we got the limit wrong.
we've discussed and agreed on this limit within the security team
I think this overstates the extent to which it was discussed.
Moreover, users can adjust the current limit themselves.
Do you not find the arguments convincing that this is a poor practice, not composable for reusable apps, and degrades URLField validation?
comment:5 by , 3 weeks ago
| Needs documentation: | set |
|---|
comment:6 by , 3 weeks ago
| Has patch: | set |
|---|
comment:7 by , 3 weeks ago
| Needs documentation: | unset |
|---|
comment:18 by , 10 days ago
Tangentially the docstring for DisallowedRedirect is now out of date:
class DisallowedRedirect(SuspiciousOperation):
"""Redirect to scheme not in allowed list"""
Thank you!