CVE-2024-27351
published 2024-03-15CVE-2024-27351: In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the…
PriorityP426medium5.3CVSS 3.1
AVNACHPRNUIRSUCNINAH
EPSS
1.85%
76.6th percentile
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 3.2 < 3.2.25 | 3.2.25 |
| djangoproject | django | >= 3.2 < 3.2.25 | 3.2.25 |
| djangoproject | django | >= 4.2 < 4.2.11 | 4.2.11 |
| djangoproject | django | >= 4.2 < 4.2.11 | 4.2.11 |
| djangoproject | django | >= 5.0 < 5.0.3 | 5.0.3 |
| djangoproject | django | >= 5.0 < 5.0.3 | 5.0.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerability
vendor_ubuntu·2024-03-04
CVE-2024-27351 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to consume resources or crash if it received specially
crafted network traffic.
USN-6674-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Seokchan Yoon discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
vendor_redhat·2024-03-04·CVSS 7.5
CVE-2024-27351 [HIGH] CWE-1333 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
An inefficient regular expression complexity flaw was found in the Truncator.words function and truncatewords_html filter of Django. This issue may allow an attacker to use a suitably crafted string to cause a denial of service.
Package: ansible-tower (Red Hat Ansible Automation Platform 1.2) - Not affected
Package: python-django (
Ubuntu
Django vulnerability
vendor_ubuntu·2024-03-04
CVE-2024-27351 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to consume resources or crash if it received specially
crafted network traffic.
Seokchan Yoon discovered that the Django Truncator function incorrectly
handled very long HTML input. A remote attacker could possibly use this
issue to cause Django to consume resources, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2024-27351: python-django - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django...
vendor_debian·2024·CVSS 7.5
CVE-2024-27351 [HIGH] CVE-2024-27351: python-django - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django...
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u7)
forky: resolved (fixed in 3:4.2.11-1)
sid: resolved (fixed in 3:4.2.11-1)
trixie: resolved (fixed in 3:4.2.11-1)
OSV
CVE-2024-27351: In Django 3
osv·2024-03-15·CVSS 7.5
CVE-2024-27351 [HIGH] CVE-2024-27351: In Django 3
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
OSV
Regular expression denial-of-service in Django
osv·2024-03-15·CVSS 7.5
CVE-2024-27351 [HIGH] Regular expression denial-of-service in Django
Regular expression denial-of-service in Django
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
GHSA
Regular expression denial-of-service in Django
ghsa·2024-03-15·CVSS 7.5
CVE-2024-27351 [HIGH] CWE-1333 Regular expression denial-of-service in Django
Regular expression denial-of-service in Django
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
No detection rules found.
No public exploits indexed.
arXiv
VulnRepairEval: An Exploit-Based Evaluation Framework for Assessing Large Language Model Vulnerability Repair Capabilities
arxiv_fulltext·2025-09-03
VulnRepairEval: An Exploit-Based Evaluation Framework for Assessing Large Language Model Vulnerability Repair Capabilities
: An Exploit-Based Evaluation Framework for Assessing Large Language Model Vulnerability Repair Capabilities
Weizhe Wang
Co-first author.
Tianjin University
China
Wei Ma
[1]
Singapore Management University
Singapore
Qiang Hu
Tianjin University
China
Yao Zhang
Corresponding author. [email protected], [email protected]
Tianjin University
China
Jianfei Sun
Singapore Management University
Singapore
Bin Wu
Tianjin University
China
Yang Liu
Nanyang Technological University
Singapore
Guangquan Xu
[2]
Tianjin University
China
Lingxiao Jiang
Singapore Management University
Singapore
Wang and Ma et al.
software vulnerability repair, LLM, exploit-based evaluation, benchmark
## Abstract
The adoption of Large Language Models (LLMs) for automated software vulnerability patching has sh
HackerOne
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
hackerone·2024-04-28·CVSS 7.5
CVE-2024-27351 [HIGH] CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
# TL;DR
**CVE-2024-27351**: Potential regular expression denial-of-service in `django.utils.text.Truncator.words()`
# Details:
`django.utils.text.Truncator.words()` method (with `html=True`) and `truncatewords_html` template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).
- The `Truncator` class truncates text based on word count.
- When the `html` flag is set, the internal `_truncate_html()` method is used.
- This method relies on regular expressions stored in variables (`re_chars` and `re_words`) to perform the truncation.
- These regular expressions are vulnerable to ReD
Bugzilla
CVE-2024-27351 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
bugzilla·2024-02-26·CVSS 7.5
CVE-2024-27351 [HIGH] CVE-2024-27351 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
CVE-2024-27351 python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
You're receiving this message because you are on the security prenotification list for the Django web framework; information about this list can be
found in our security policy [1].
In accordance with that policy, a set of security releases will be issued on Monday, March 4, 2024 around 900 UTC. This message contains descriptions
of the issue, descriptions of the changes which will be made to Django, and the patches which will be applied to Django.
``django.utils.text.Truncator.words()`` method (with ``html=True``) and
``truncatewords_html`` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to
http://www.openwall.com/lists/oss-security/2024/03/04/1https://docs.djangoproject.com/en/5.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://www.djangoproject.com/weblog/2024/mar/04/security-releases/http://www.openwall.com/lists/oss-security/2024/03/04/1https://docs.djangoproject.com/en/5.0/releases/security/https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761ehttps://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4ahttps://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://lists.fedoraproject.org/archives/list/[email protected]/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/https://lists.fedoraproject.org/archives/list/[email protected]/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/https://lists.fedoraproject.org/archives/list/[email protected]/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/https://www.djangoproject.com/weblog/2024/mar/04/security-releases/
2024-03-15
Published