CVE-2025-32873

Advisory

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

Affected package

Affected versions

Fixed versions

Vulnerability changelog

==========================

*Expected May 7, 2025*

Django 5.2.1 fixes a security issue with severity "moderate" and several bugs
in 5.2.

CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================

:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.

:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.

Bugfixes
========

* Fixed a regression in Django 5.2 that caused a crash when annotating
aggregate expressions over query that uses explicit grouping by transforms
followed by field references (:ticket:`36292`).

* Fixed a regression in Django 5.2 that caused unnecessary queries when
prefetching nullable foreign key relationships (:ticket:`36290`).

* Fixed a regression in Django 5.2 that caused a crash of
``QuerySet.bulk_create()`` with nullable geometry fields on PostGIS
(:ticket:`36289`).

* Fixed a regression in Django 5.2 that caused fields to be incorrectly
selected when using ``QuerySet.alias()`` after ``values()``
(:ticket:`36299`).

* Fixed a data corruption possibility in ``file_move_safe()`` when
``allow_overwrite=True``, where leftover content from a previously larger
file could remain after overwriting with a smaller one due to lack of
truncation (:ticket:`36298`).

* Fixed a regression in Django 5.2 that caused a crash when using
``QuerySet.select_for_update(of=(…))`` with ``values()/values_list()``
including expressions (:ticket:`36301`).

* Fixed a regression in Django 5.2 that caused improper values to be returned
from ``QuerySet.values_list()`` when duplicate field names were specified
(:ticket:`36288`).

* Fixed a regression in Django 5.2 where the password validation error message
from ``MinimumLengthValidator`` was not translated when using non-English
locales (:ticket:`36314`).

* Fixed a regression in Django 5.2 that caused the ``object-tools`` block to be
rendered twice when using custom admin templates with overridden blocks due
to changes in the base admin page block structure (:ticket:`36331`).

* Fixed a regression in Django 5.2, introduced when fixing :cve:`2025-26699`,
where the :tfilter:`wordwrap` template filter did not preserve empty lines
between paragraphs after wrapping text (:ticket:`36341`).

* Fixed a regression in Django 5.2 that caused a crash when serializing email
alternatives or attachments due to named tuple mismatches (:ticket:`36309`).

* Fixed a regression in Django 5.2 that caused a crash when using ``update()``
on a ``QuerySet`` filtered against a related model and including references
to annotations through ``values()`` (:ticket:`36360`).

* Fixed a bug in Django 5.2 that caused composite primary key introspection to
wrongly identify ``IntegerField`` as ``AutoField`` on SQLite
(:ticket:`36358`).

* Fixed a bug in Django 5.2 that caused a redundant ``unique_together``
constraint to be generated for composite primary keys when using
:djadmin:`inspectdb` (:ticket:`36357`).


========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873