Django is vulnerable to Regular Expression Denial Of Service (ReDoS). The vulnerability is due to a regular expression with inefficient complexity within the django.utils.text.Truncator.words()
function. When this function has the html
parameter set to true
, and is utilizing the truncatewords_html
template filter, an attacker can render the application unresponsive by submitting a crafted string with many <
characters.
www.openwall.com/lists/oss-security/2024/03/04/1
docs.djangoproject.com/en/5.0/releases/security/
docs.djangoproject.com/en/dev/releases/5.0.3/
github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e
github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a
groups.google.com/forum/#%21forum/django-announce
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
www.djangoproject.com/weblog/2024/mar/04/security-releases/