Django vulnerable to denial-of-service attack

GHSA-r836-hh6v-rg5g · BIT-django-2024-41991 · CVE-2024-41991 · PYSEC-2024-69

Published Aug 7, 2024 · Modified Nov 4, 2025

Description

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-41991
WEB https://github.com/django/django/commit/523da8771bce321023f490f70d71a9e973ddc927
WEB https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f
WEB https://docs.djangoproject.com/en/dev/releases/security
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-69.yaml
WEB https://groups.google.com/forum/#%21forum/django-announce
WEB https://security.netapp.com/advisory/ntap-20240905-0007
WEB https://www.djangoproject.com/weblog/2024/aug/06/security-releases

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes