CVE-2024-27351 in Djangoinfo

Summary

by MITRE • 03/15/2024

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/10/2025

The vulnerability identified as CVE-2024-27351 represents a critical security flaw affecting multiple versions of the Django web framework. This issue specifically targets the django.utils.text.Truncator.words() method and the truncatewords_html template filter when processing HTML content with the html=True parameter. The vulnerability manifests as a potential regular expression denial-of-service attack that can be triggered by carefully crafted input strings designed to exploit the underlying regular expression patterns used for HTML text truncation.

The technical flaw stems from inadequate handling of regular expressions within the text truncation functionality, creating a scenario where maliciously constructed HTML input can cause the regular expression engine to enter into computationally expensive operations. This vulnerability is particularly concerning because it builds upon previous fixes for CVE-2019-14232 and CVE-2023-43665, indicating that the initial remediation efforts were insufficient to fully address the underlying pattern matching issues. The incomplete fix has left the system susceptible to resource exhaustion attacks that can consume excessive CPU cycles and memory resources during text processing operations.

The operational impact of this vulnerability extends beyond simple performance degradation to potentially enabling complete system compromise through resource exhaustion attacks. Attackers can craft malicious input strings that cause the Django application to spend excessive computational resources processing what should be simple text truncation operations. This can lead to denial-of-service conditions where legitimate users cannot access the application, and in high-traffic environments, can result in significant system resource consumption that may affect other services running on the same infrastructure. The vulnerability affects applications that process user-generated HTML content through the affected text truncation methods, making it particularly dangerous in web applications where content moderation and text processing are common operations.

Organizations running affected Django versions should prioritize immediate patching to address this vulnerability, as the risk of exploitation increases with the complexity and volume of HTML content processed by applications. The mitigation strategy should include upgrading to Django versions 3.2.25, 4.2.11, or 5.0.3, which contain the complete fix for this issue. Additionally, implementing input validation and sanitization measures can provide an additional layer of protection by limiting the complexity and size of HTML content that reaches the vulnerable text processing functions. Organizations should also consider monitoring system resources and implementing rate limiting on text processing operations to detect and prevent potential exploitation attempts. This vulnerability aligns with CWE-400, which addresses improper handling of regular expressions, and maps to ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion, highlighting the importance of proper input validation and resource management in web application security.

Reservation

02/25/2024

Disclosure

03/15/2024

Moderation

accepted

CPE

ready

EPSS

0.01854

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!