BIT-django-2026-1285
Denial-of-service vulnerability in django (PyPI)
What is BIT-django-2026-1285 About?
This denial-of-service vulnerability affects Django's template filters and Truncator methods when processing HTML. Attackers can exploit this by providing specially crafted inputs, potentially leading to resource exhaustion. Exploitation appears relatively easy, requiring only malformed input.
Affected Software
- django
- >=5.2a1, <5.2.11
- >=6.0a1, <6.0.2
- >=4.2a1, <4.2.28
Technical Details
The vulnerability lies within the django.utils.text.Truncator.chars() and Truncator.words() methods, as well as the truncatechars_html and truncatewords_html template filters, specifically when html=True is set. A remote attacker can craft inputs containing a large number of unmatched HTML end tags. When these methods or filters attempt to process such malformed HTML, they can enter an inefficient state, consuming excessive CPU or memory, and thus causing a denial-of-service condition for the application.
What is the Impact of BIT-django-2026-1285?
Successful exploitation may allow attackers to disrupt service availability by causing resource exhaustion or application unresponsiveness.
What is the Exploitability of BIT-django-2026-1285?
Exploitation of this vulnerability is likely low in complexity. It requires a remote attacker to send crafted inputs, specifically malformed HTML containing numerous unmatched end tags, to an application feature that utilizes the vulnerable Django Truncator methods or template filters. No specific authentication or high privileges are required for a direct attack if the input vector is exposed. The primary prerequisite is that the application processes user-supplied data through these specific Django text manipulation functions with HTML parsing enabled. The risk factors include publicly exposed forms or APIs that accept and display HTML content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2026-1285?
Available Upgrade Options
- django
- >=4.2a1, <4.2.28 → Upgrade to 4.2.28
- django
- >=5.2a1, <5.2.11 → Upgrade to 5.2.11
- django
- >=6.0a1, <6.0.2 → Upgrade to 6.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://docs.djangoproject.com/en/dev/releases/security/
- https://nvd.nist.gov/vuln/detail/CVE-2026-1285
- https://www.djangoproject.com/weblog/2026/feb/03/security-releases
- https://github.com/django/django/commit/a33540b3e20b5d759aa8b2e4b9ca0e8edd285344
- https://www.djangoproject.com/weblog/2026/feb/03/security-releases/
- https://osv.dev/vulnerability/GHSA-4rrr-2h4v-f3j9
- https://groups.google.com/g/django-announce
- https://github.com/django/django
- https://docs.djangoproject.com/en/dev/releases/security
- https://groups.google.com/g/django-announce
What are Similar Vulnerabilities to BIT-django-2026-1285?
Similar Vulnerabilities: CVE-2023-31046 , CVE-2023-28704 , CVE-2023-28706 , CVE-2023-28705 , CVE-2023-45811
