CVE-2024-27351 — Regex Denial of Service in Django

CWE-1333 — Regex Denial of Service10 documents8 sources

Severity

5.3MEDIUMNVD

CNA7.5GHSA7.5OSV7.5

EPSS

2.6%

top 14.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedMar 15

Latest updateApr 28

Description

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

▶NVDdjangoproject/django3.2 — 3.2.25+2

▶PyPIdjangoproject/django3.2 — 3.2.25+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-27351: In Django 3↗2024-03-15

▶

OSV

Regular expression denial-of-service in Django↗2024-03-15

▶

CVEList

CVE-2024-27351: In Django 3↗2024-03-15

▶

GHSA

Regular expression denial-of-service in Django↗2024-03-15

▶

📋Vendor Advisories

Ubuntu

Django vulnerability↗2024-03-04

▶

Red Hat

python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()↗2024-03-04

▶

Ubuntu

Django vulnerability↗2024-03-04

▶

Debian

CVE-2024-27351: python-django - In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django...↗2024

▶

💬Community

HackerOne

CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()↗2024-04-28

▶