Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters

GHSA-5hgc-2vfp-mqvc · BIT-django-2024-45230 · CVE-2024-45230 · PYSEC-2024-102

Published Oct 8, 2024 · Modified Oct 30, 2024

Description

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-45230
WEB https://github.com/django/django/commit/022ab0a75c76ab2ea31dfcc5f2cf5501e378d397
WEB https://github.com/django/django/commit/813de2672bd7361e9a453ab62cd6e52f96b6525b
WEB https://github.com/django/django/commit/d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2
WEB https://docs.djangoproject.com/en/dev/releases/security
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-102.yaml
WEB https://groups.google.com/forum/#%21forum/django-announce
WEB https://www.djangoproject.com/weblog/2024/sep/03/security-releases

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes