Safety vulnerability ID: 65771
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665).
Latest version: 5.1.3
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
==========================
*March 4, 2024*
Django 5.0.3 fixes a security issue with severity "moderate" and several bugs
in 5.0.2.
CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
=========================================================================================================
``django.utils.text.Truncator.words()`` method (with ``html=True``) and
:tfilter:`truncatewords_html` template filter were subject to a potential
regular expression denial-of-service attack using a suitably crafted string
(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
Bugfixes
========
* Fixed a regression in Django 5.0.2 where ``intcomma`` template filter could
return a leading comma for string representation of floats (:ticket:`35172`).
* Fixed a bug in Django 5.0 that caused a crash of ``Signal.asend()`` and
``asend_robust()`` when all receivers were asynchronous functions
(:ticket:`35174`).
* Fixed a regression in Django 5.0.1 where :meth:`.ModelAdmin.lookup_allowed`
would prevent filtering against foreign keys using lookups like ``__isnull``
when the field was not included in :attr:`.ModelAdmin.list_filter`
(:ticket:`35173`).
* Fixed a regression in Django 5.0 that caused a crash of
``sensitive_variables`` and ``sensitive_post_parameters`` decorators on
functions loaded from ``.pyc`` files (:ticket:`35187`).
* Fixed a regression in Django 5.0 that caused a crash when reloading a test
database and a base queryset for a base manager used ``prefetch_related()``
(:ticket:`35238`).
* Fixed a bug in Django 5.0 where facet filters in the admin would crash on a
``SimpleListFilter`` using a queryset without primary keys (:ticket:`35198`).
==========================
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application