CVE-2025-32873 — Allocation of Resources Without Limits or Throttling in Django

CWE-770 — Allocation of Resources Without Limits or Throttling9 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 62.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedMay 8

Description

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5djangoproject/django4.2 — 4.2.21+2

▶NVDdjangoproject/django4.2.0 — 4.2.21+2

▶PyPIdjangoproject/django4.2 — 4.2.21+2

🔴Vulnerability Details

CVEList

CVE-2025-32873: An issue was discovered in Django 4↗2025-05-08

▶

OSV

CVE-2025-32873: An issue was discovered in Django 4↗2025-05-08

▶

OSV

Django has a denial-of-service possibility in strip_tags()↗2025-05-08

▶

GHSA

Django has a denial-of-service possibility in strip_tags()↗2025-05-08

▶

📋Vendor Advisories

Red Hat

django: Django StripTags Denial of Service↗2025-05-08

▶

Ubuntu

Django vulnerability↗2025-05-07

▶

Ubuntu

Django vulnerability↗2025-05-07

▶

Debian

CVE-2025-32873: python-django - An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 b...↗2025

▶