CVE-2024-27351
Regular Expression Denial-of-Service vulnerability in django (PyPI)

Regular Expression Denial-of-Service No known exploit Fixable By Resolved Security

What is CVE-2024-27351 About?

This vulnerability is a Regular Expression Denial-of-Service (ReDoS) in Django versions 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3. It affects the `django.utils.text.Truncator.words()` method (with `html=True`) and the `truncatewords_html` template filter. A crafted string can lead to resource exhaustion, and exploitation is relatively straightforward if an attacker can control input processed by these functions.

Affected Software

  • django
    • >5.0, <5.0.3
    • >3.2, <3.2.25
    • >4.2, <4.2.11

Technical Details

The vulnerability is a Regular Expression Denial-of-Service (ReDoS) affecting the django.utils.text.Truncator.words() method when its html parameter is set to True, and the truncatewords_html template filter in vulnerable Django versions. This issue is a regression or an incomplete fix from previous ReDoS vulnerabilities (CVE-2019-14232, CVE-2023-43665). An attacker can supply a specially crafted input string containing patterns that cause the regular expressions used internally by these functions to enter an inefficient backtracking state. When processed, this leads to excessive CPU consumption and memory usage, causing the application to become unresponsive and resulting in a denial-of-service condition. The attack vector specifically targets the regular expression engine's performance when faced with 'catastrophic backtracking' patterns.

What is the Impact of CVE-2024-27351?

Successful exploitation may allow attackers to cause a denial of service, rendering the Django application or website unresponsive and unavailable to users.

What is the Exploitability of CVE-2024-27351?

Exploitation of this Regular Expression Denial-of-Service (ReDoS) vulnerability is of low to moderate complexity. It typically requires remote access to a Django application that uses a vulnerable version and processes user-controlled input through the django.utils.text.Truncator.words() method (with html=True) or the truncatewords_html template filter. No prior authentication or specific privileges are required if the attacker can submit a crafted string to any part of the application that then uses the affected functions. The attack vector involves injecting a malicious string designed to trigger catastrophic backtracking in the regular expressions. The likelihood of exploitation is high in applications that display or manipulate user-generated HTML content without proper sanitization and truncation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-27351?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

None

Available Upgrade Options

  • django
    • >3.2, <3.2.25 → Upgrade to 3.2.25
  • django
    • >4.2, <4.2.11 → Upgrade to 4.2.11
  • django
    • >5.0, <5.0.3 → Upgrade to 5.0.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-27351?

Similar Vulnerabilities: CVE-2024-24680 , CVE-2023-43665 , CVE-2019-14232 , CVE-2022-25883 , CVE-2020-8231

All Rights reserved 2025
Privacy Policy