id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36743	Max URL length of 2048 is too conservative for redirect targets	Jacob Walls	Varun Kasyap Pentamaraju	"Since 4.2.3 (2023), Django has been enforcing a limit of 2048 characters in the URL and email validators to prevent a REDoS vector (CVE-2023-36053).

In 5.1.8 and 5.0.14 (April 2025), Django applied this limit in more places to prevent a DoS vector on Windows (CVE-2025-27556):
- `LoginView`
- `LogoutView`
- `set_language()`

In 5.2.8, 5.1.4, and 4.2.26 (November 2025) this same limit was applied in an additional case (to prevent an almost identical DoS vector, CVE-2025-64458):
- `HttpResponseRedirect`
- `HttpResponsePermanentRedirect`
- `redirect()`

We've seen multiple reports that 2048 characters is too strict for redirects involving third-party services like S3:
- [https://github.com/goauthentik/authentik/commit/6a13b38740f92d8003e51fe2225513d1369e3e44 authentik]
- [https://forum.djangoproject.com/t/application-issues-caused-by-the-fix-for-cve-2025-27556-in-django-4-2-26/43502 forum [1]]
- [https://forum.djangoproject.com/t/cve-2025-64458-new-max-url-length-const-leads-to-issues/43507 forum [2]]

The fact that we're catching 4.2 LTS users for the first time is relevant.

----
nginx allows about 8k characters [https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers source]
apache allows about half that [https://www.measuringknowhow.com/understanding-the-max-length-of-a-query-string-explained/ source]

To my knowledge, 2048 was chosen simply because of the precedent in 4.2.3 for the URLValidator case (thereby reusing a single constant).

I'm not proposing to do anything about the URLValidator case. But for the Windows vulnerabilities, having to do with `LoginView` and `redirect`, we could have relaxed the limit to around nginx's 8K limit and still mitigated them.

That's essentially what authentik did when monkey-patching this constant. Users shouldn't have to do that (it degrades the validation for URLField).

----
I'm proposing we relax 2048 to 8192 (around the nginx limit) for the two vulnerabilities we patched in 2025 (in `LoginView`, `redirect()` and friends), i.e. have a second constant for those. I'm not proposing to expose this as a setting. I'm proposing we ship it with our next regularly scheduled patch release."	Bug	closed	HTTP handling	4.2	Release blocker	fixed		Mariusz Felisiak	Accepted	1	0	0	0	0	0