Max URL length of 2048 is too conservative for redirect targets

[Jacob Walls]

Since 4.2.3 (2023), Django has been enforcing a limit of 2048 characters in the URL and email validators to prevent a REDoS vector (CVE-2023-36053).

In 5.1.8 and 5.0.14 (April 2025), Django applied this limit in more places to prevent a DoS vector on Windows (CVE-2025-27556):

• LoginView
• LogoutView
• set_language()

In 5.2.8, 5.1.4, and 4.2.26 (November 2025) this same limit was applied in an additional case (to prevent an almost identical DoS vector, CVE-2025-64458):

• HttpResponseRedirect
• HttpResponsePermanentRedirect
• redirect()

We've seen multiple reports that 2048 characters is too strict for redirects involving third-party services like S3:

• ​authentik
• ​forum [1]
• ​forum [2]

The fact that we're catching 4.2 LTS users for the first time is relevant.

---

nginx allows about 8k characters ​source
apache allows about half that ​source

To my knowledge, 2048 was chosen simply because of the precedent in 4.2.3 for the URLValidator case (thereby reusing a single constant).

I'm not proposing to do anything about the URLValidator case. But for the Windows vulnerabilities, having to do with LoginView and redirect, we could have relaxed the limit to around nginx's 8K limit and still mitigated them.

That's essentially what authentik did when monkey-patching this constant. Users shouldn't have to do that (it degrades the validation for URLField).

---

I'm proposing we relax 2048 to 8192 (around the nginx limit) for the two vulnerabilities we patched in 2025 (in LoginView, redirect() and friends), i.e. have a second constant for those. I'm not proposing to expose this as a setting. I'm proposing we ship it with our next regularly scheduled patch release.

[Natalia Bidart]

Thank you!