BIT-django-2024-41989
Memory Consumption vulnerability in django (PyPI)
What is BIT-django-2024-41989 About?
This vulnerability in Django's floatformat template filter causes excessive memory consumption when processing string representations of numbers in scientific notation with large exponents. This can lead to a denial of service. Exploitation is possible by providing a specific malicious input to the template filter.
Affected Software
- django
- >5.0, <5.0.8
- >4.2, <4.2.15
Technical Details
The floatformat template filter in Django versions 5.0 before 5.0.8 and 4.2 before 4.2.15 is susceptible to a resource exhaustion vulnerability. When this filter is applied to a string representation of a number that uses scientific notation with an extremely large exponent (e.g., '1e+1000000'), the internal processing attempting to format this number requires a disproportionate amount of memory. This memory allocation overhead, triggered by seemingly innocuous input, can rapidly consume available system resources and lead to a denial of service condition.
What is the Impact of BIT-django-2024-41989?
Successful exploitation may allow attackers to cause the application to consume excessive memory resources, leading to a denial of service, system instability, or crashes.
What is the Exploitability of BIT-django-2024-41989?
Exploitation requires an attacker to be able to provide input that is processed by the Django floatformat template filter. This could potentially be achieved through a web interface that allows arbitrary input to be displayed using Django templates. The complexity is low if input can be controlled, requiring no authentication or special privileges on the target system for the initial trigger. It is likely a remote attack vector, as the input would typically come from an HTTP request. The primary risk factor is external control over user input that is then rendered by the vulnerable template filter.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2024-41989?
Available Upgrade Options
- django
- >4.2, <4.2.15 → Upgrade to 4.2.15
- django
- >5.0, <5.0.8 → Upgrade to 5.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2024-41989
- https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
- https://groups.google.com/forum/#%21forum/django-announce
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://github.com/django/django/commit/27900fe56f3d3cabb4aeb6ccb82f92bab29073a8
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-67.yaml
- https://osv.dev/vulnerability/PYSEC-2024-67
What are Similar Vulnerabilities to BIT-django-2024-41989?
Similar Vulnerabilities: CVE-2021-32050 , CVE-2023-46638 , CVE-2022-23588 , CVE-2022-23589 , CVE-2022-23590
