CVE-2024-41990
denial-of-service vulnerability in django (PyPI)
What is CVE-2024-41990 About?
Django's `urlize()` and `urlizetrunc()` template filters are susceptible to a denial-of-service attack. This occurs when processing very large inputs combined with a specific sequence of characters. Exploiting this vulnerability could cause system unresponsiveness and is relatively easy to trigger with the right input.
Affected Software
- django
- >5.0, <5.0.8
- >4.2, <4.2.15
Technical Details
The vulnerability affects Django versions 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are designed to convert text into clickable URLs. However, when these filters process exceptionally large inputs that contain a particular sequence of characters, their underlying processing logic becomes inefficient. This inefficiency consumes an excessive amount of CPU resources, leading to a denial-of-service condition where the server becomes unresponsive or crashes due to resource exhaustion.
What is the Impact of CVE-2024-41990?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to application unresponsiveness and service disruption.
What is the Exploitability of CVE-2024-41990?
Exploitation involves sending a very large input containing a specific character sequence to a Django application that uses the urlize() or urlizetrunc() template filters, likely an input field or content submission. No authentication is strictly required if the vulnerable filter is applied to publicly accessible content, such as user-submitted comments or forum posts. Privilege requirements are minimal, primarily the ability to supply input that will be processed by the filters. This attack can be remote. The complexity is low to moderate, given that it requires crafting a specific large input string and sending it to the application. The risk increases for applications that extensively use these filters on user-controlled or untrusted content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-41990?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.15 → Upgrade to 4.2.15
- django
- >5.0, <5.0.8 → Upgrade to 5.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88
- https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
- https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
- https://github.com/django/django/commit/7b7b909579c8311c140c89b8a9431bf537febf93
- https://osv.dev/vulnerability/PYSEC-2024-68
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-68.yaml
- https://github.com/django/django
- https://nvd.nist.gov/vuln/detail/CVE-2024-41990
What are Similar Vulnerabilities to CVE-2024-41990?
Similar Vulnerabilities: CVE-2023-36054 , CVE-2023-35824 , CVE-2023-31126 , CVE-2023-28709 , CVE-2023-27901
