When a remote user-controlled data can reach a costly Unicode normalization with either form, NFKC or NFKD, an attack such as the One Million Unicode Characters, could lead to a denial of service on Windows OS.

And, with the use of special Unicode characters, like U+2100 (℀) or U+2105 (℅), the payload size could be tripled after the compatibility normalization.

Ensure limiting the size of any incoming data that would go through a costly operations, including a Windows Unicode normalization with NFKC or NFKD. Such a recommandation would avoid a potential denial of service.

In this example a simple user-controlled data reaches a Unicode normalization with the form "NFKC".

To fix this vulnerability, we need restrain the size of the user input.

For example, we can use the len() builtin function to limit the size of the user input.

CVE-2023-46695: Potential denial of service vulnerability in Django UsernameField on Windows.