CVE-2024-41990 in Django
Summary
by MITRE • 08/07/2024
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
This vulnerability affects Django web applications that utilize the urlize() and urlizetrunc() template filters, which are designed to automatically convert URLs contained in text into clickable hyperlinks. The flaw stems from insufficient input validation and processing logic within these filters, allowing malicious actors to craft specially crafted inputs that can trigger excessive computational resource consumption. When processing extremely large text inputs containing specific character sequences, the urlize() and urlizetrunc() functions enter into computationally expensive operations that can cause significant performance degradation or complete system unresponsiveness.
The technical implementation of these template filters relies on regular expressions and iterative processing to identify and format URLs within text. However, certain input patterns can cause the underlying algorithms to exhibit exponential time complexity behavior, where the processing time increases dramatically with input size. This occurs because the regular expression patterns used for URL detection can create backtracking scenarios that lead to combinatorial explosion during matching operations. The vulnerability specifically manifests when inputs contain sequences of characters that trigger these pathological regex behaviors, causing the filter to consume excessive CPU cycles and memory resources.
From an operational perspective, this vulnerability presents a significant denial-of-service risk to Django applications that process user-generated content through these template filters. Attackers can exploit this weakness by submitting carefully constructed text inputs that are orders of magnitude larger than typical usage patterns, leading to service disruption for legitimate users. The impact extends beyond simple performance degradation to potentially causing complete application crashes or server resource exhaustion, particularly in environments with limited computational resources or high traffic volumes. Applications using these filters for processing comments, forum posts, or any user-submitted text are at risk.
The vulnerability aligns with CWE-400 which categorizes "Uncontrolled Resource Consumption" and specifically relates to the improper handling of input data that leads to excessive resource consumption. This weakness can be mapped to ATT&CK technique T1499.004 which covers "Network Denial of Service" through resource exhaustion attacks. Organizations should immediately apply the security patches available for Django versions 4.2.15 and 5.0.8, as these releases contain fixes that implement proper input length validation and optimized processing algorithms to prevent the pathological behavior. Additionally, implementing rate limiting on text processing endpoints and setting reasonable limits on input sizes can serve as effective mitigations while waiting for patch deployment.