CVE-2024-41991
Denial of Service vulnerability in django (PyPI)
What is CVE-2024-41991 About?
An issue in Django 5.0 before 5.0.8 and 4.2 before 4.2.15 allows for a denial-of-service attack. This occurs via certain inputs with a very large number of Unicode characters processed by urlize, urlizetrunc, and AdminURLFieldWidget, leading to resource exhaustion. Exploitation can be difficult, requiring large, specifically crafted inputs.
Affected Software
- django
- >5.0, <5.0.8
- >4.2, <4.2.15
Technical Details
The vulnerability lies within Django's urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget. When these components process inputs containing an extremely large number of Unicode characters, they can consume excessive computational resources (e.g., CPU, memory) due to inefficient handling of such inputs during URL detection or truncation. An attacker can submit specially crafted input strings that trigger this resource exhaustion, causing the Django application to slow down significantly or become unresponsive, resulting in a denial-of-service condition.
What is the Impact of CVE-2024-41991?
Successful exploitation may allow attackers to cause the Django application to become unresponsive or slow, leading to a denial of service and disrupting the availability of the web service.
What is the Exploitability of CVE-2024-41991?
Exploitation involves submitting inputs with a very large number of Unicode characters to endpoints that use the urlize, urlizetrunc template filters, or the AdminURLFieldWidget. The complexity is moderate to high, as it requires constructing inputs that are large enough to cause resource exhaustion without being prematurely rejected by other filters or web server limits. Authentication requirements depend on whether the vulnerable entry points are accessible to unauthenticated users (e.g., public forms, comments) or only to authenticated users (e.g., admin interfaces). The attack is remote. The main constraint is the size of the input required; if the application or infrastructure has strict input size limits, exploitation becomes harder. However, if such limits are permissive, the risk increases.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-41991?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.15 → Upgrade to 4.2.15
- django
- >5.0, <5.0.8 → Upgrade to 5.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-69.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2024-41991
- https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f
- https://osv.dev/vulnerability/PYSEC-2024-69
- https://github.com/django/django
- https://github.com/django/django/commit/523da8771bce321023f490f70d71a9e973ddc927
What are Similar Vulnerabilities to CVE-2024-41991?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2023-28432 , CVE-2022-24434 , CVE-2021-23358 , CVE-2020-8174
