May 5, 2026
Django 5.2.14 fixes three security issues with severity “low” in 5.2.13. Django 5.2.14 fixes three security issue with severity “low” in 5.2.13.
ASGI requests with a missing or understated Content-Length header could
bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit, potentially loading
large files into memory and causing service degradation.
As a reminder, Django expects a limit to be configured at the web server level rather than solely
relying on FILE_UPLOAD_MAX_MEMORY_SIZE.
This issue has severity “low” according to the Django security policy.
SESSION_SAVE_EVERY_REQUEST¶Response headers did not vary on cookies if a
session was not modified, but SESSION_SAVE_EVERY_REQUEST was
True. A remote attacker could steal a user’s session after that user visits
a cached public page.
This issue has severity “low” according to the Django security policy.
Vary: * in UpdateCacheMiddleware¶Previously, UpdateCacheMiddleware would
erroneously cache requests where the Vary header contained an asterisk
('*'). This could lead to private data being stored and served.
This issue has severity “low” according to the Django security policy.
May 05, 2026