BIT-django-2024-53907
Denial of Service vulnerability in django (PyPI)
What is BIT-django-2024-53907 About?
Django versions 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17 are vulnerable to a Denial of Service (DoS) attack. The `strip_tags()` method and `striptags` template filter can be exploited by carefully crafted inputs containing large sequences of nested incomplete HTML entities, causing excessive resource consumption. Exploitation is easy by supplying the malformed input.
Affected Software
- django
- >5.0, <5.0.10
- >5.0.0, <5.0.10
- >5.1.0, <5.1.4
- >4.2, <4.2.17
- >4.2.0, <4.2.17
- >5.1, <5.1.4
Technical Details
The vulnerability in Django's strip_tags() method and striptags template filter is a Denial of Service. The flaw occurs when these functions, intended to remove HTML tags from input, encounter specially crafted strings containing large and deeply nested sequences of incomplete HTML entities (e.g., '&amp;amp;...'). The parsing logic for these entities becomes computationally expensive, leading to excessive CPU and/or memory consumption. This resource exhaustion can freeze the server or cause it to crash, thereby making the application unavailable to legitimate users. An attacker can trigger this by simply providing such a malformed string as input to any field that undergoes tag stripping.
What is the Impact of BIT-django-2024-53907?
Successful exploitation may allow attackers to cause a Denial of Service (DoS), making the Django application unresponsive or crash, thereby disrupting service availability.
What is the Exploitability of BIT-django-2024-53907?
Exploitation of this vulnerability is straightforward and can typically be performed remotely. An attacker needs to supply a specially crafted input string containing deeply nested incomplete HTML entities to an application endpoint that uses Django's strip_tags() method or striptags template filter. No specific authentication or elevated privileges are required, as the vulnerability is triggered during the processing of user-supplied data. This makes it a high-risk factor for any Django application accepting user input that is subsequently passed through these vulnerable functions. The complexity is low, as the attacker merely needs to construct and send the malformed input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2024-53907?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2.0, <4.2.17 → Upgrade to 4.2.17
- django
- >5.0.0, <5.0.10 → Upgrade to 5.0.10
- django
- >5.1, <5.1.4 → Upgrade to 5.1.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://docs.djangoproject.com/en/dev/releases/security
- https://groups.google.com/g/django-announce
- https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html
- https://groups.google.com/g/django-announce
- https://osv.dev/vulnerability/GHSA-8498-2h75-472j
- https://nvd.nist.gov/vuln/detail/CVE-2024-53907
- https://www.openwall.com/lists/oss-security/2024/12/04/3
- https://www.openwall.com/lists/oss-security/2024/12/04/3
- https://osv.dev/vulnerability/PYSEC-2024-156
- https://github.com/django/django
What are Similar Vulnerabilities to BIT-django-2024-53907?
Similar Vulnerabilities: CVE-2023-43665 , CVE-2022-22802 , CVE-2021-2342 , CVE-2023-46604 , CVE-2020-12049
