CVE-2025-32873
published 2025-05-08CVE-2025-32873: An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a…
PriorityP434medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
13.97%
96.1th percentile
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | >= 4.2 < 4.2.21 | 4.2.21 |
| djangoproject | django | >= 4.2 < 4.2.21 | 4.2.21 |
| djangoproject | django | >= 4.2.0 < 4.2.21 | 4.2.21 |
| djangoproject | django | >= 5.1 < 5.1.9 | 5.1.9 |
| djangoproject | django | >= 5.1 < 5.1.9 | 5.1.9 |
| djangoproject | django | >= 5.2 < 5.2.1 | 5.2.1 |
| djangoproject | django | >= 5.2 < 5.2.1 | 5.2.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
django: Django StripTags Denial of Service
vendor_redhat·2025-05-08·CVSS 5.3
CVE-2025-32873 [MEDIUM] CWE-770 django: Django StripTags Denial of Service
django: Django StripTags Denial of Service
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
A flaw was found in Django. This vulnerability allows denial of service via processing inputs containing large sequences of incomplete HTML tags.
Package: ansible-automation-platform-24/ee-dellemc-openmanage-rhel8 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: ansible-automation-platform-24/lightspeed-rhel8 (Red Hat Ansible Automation Platform 2) - Fix deferred
Ubuntu
Django vulnerability
vendor_ubuntu·2025-05-07
CVE-2025-32873 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to crash if it received specially crafted network
traffic.
Elias Myllymäki discovered that Django incorrectly handled stripping large
sequences of incomplete HTML tags. A remote attacker could possibly use
this issue to cause Django to consume resources, leading to a denial of
service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Django vulnerability
vendor_ubuntu·2025-05-07
CVE-2025-32873 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to crash if it received specially crafted network
traffic.
USN-7501-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Elias Myllymäki discovered that Django incorrectly handled stripping large
sequences of incomplete HTML tags. A remote attacker could possibly use
this issue to cause Django to consume resources, leading to a denial of
service.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-32873: python-django - An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 b...
vendor_debian·2025·CVSS 5.3
CVE-2025-32873 [MEDIUM] CVE-2025-32873: python-django - An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 b...
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u7)
forky: resolved (fixed in 3:4.2.21-1)
sid: resolved (fixed in 3:4.2.21-1)
trixie: resolved (fixed in 3:4.2.21-1)
OSV
CVE-2025-32873: An issue was discovered in Django 4
osv·2025-05-08·CVSS 5.3
CVE-2025-32873 [MEDIUM] CVE-2025-32873: An issue was discovered in Django 4
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
OSV
Django has a denial-of-service possibility in strip_tags()
osv·2025-05-08
CVE-2025-32873 [MEDIUM] Django has a denial-of-service possibility in strip_tags()
Django has a denial-of-service possibility in strip_tags()
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
GHSA
Django has a denial-of-service possibility in strip_tags()
ghsa·2025-05-08
CVE-2025-32873 [MEDIUM] CWE-770 Django has a denial-of-service possibility in strip_tags()
Django has a denial-of-service possibility in strip_tags()
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
No detection rules found.
No public exploits indexed.
2025-05-08
Published