CVE-2024-45230
Denial-of-Service (DoS) vulnerability in django (PyPI)
What is CVE-2024-45230 About?
This is a Denial-of-Service (DoS) vulnerability in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. It affects the `urlize()` and `urlizetrunc()` template filters, allowing an attacker to cause excessive resource consumption by providing very large inputs with a specific character sequence. This can lead to the application becoming unresponsive.
Affected Software
- django
- >5.0, <5.0.9
- >5.1, <5.1.1
- >4.2, <4.2.16
Technical Details
The vulnerability impacts the urlize() and urlizetrunc() template filters in Django versions 5.1 (before 5.1.1), 5.0 (before 5.0.9), and 4.2 (before 4.2.16). These filters are designed to convert URLs and email addresses in text into clickable links. However, when presented with exceptionally large input strings containing a specific, crafted sequence of characters, the underlying regular expression processing or string manipulation routines within these filters become highly inefficient. This inefficiency leads to catastrophic backtracking or excessive computational demands, causing the application to consume disproportionate CPU and memory resources, ultimately resulting in a denial-of-service condition.
What is the Impact of CVE-2024-45230?
Successful exploitation may allow attackers to cause a denial-of-service condition, rendering the Django application or service unavailable to legitimate users by consuming excessive CPU or memory resources.
What is the Exploitability of CVE-2024-45230?
Exploitation involves submitting a very large input containing a specific sequence of characters that triggers the inefficiency in the urlize() or urlizetrunc() template filters. This typically occurs in contexts where user-supplied content is rendered using these filters (e.g., comments, forum posts). No authentication or elevated privileges are required, making it a remote, unauthenticated attack if such an input field is publicly exposed. The complexity lies in discovering the specific character sequence that maximizes resource consumption. Prerequisites include the use of affected Django versions and public-facing forms or content submission features that process text through these filters. The risk is heightened in applications with high traffic or those that allow extensive user-generated input without proper validation or length limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-45230?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.16 → Upgrade to 4.2.16
- django
- >5.0, <5.0.9 → Upgrade to 5.0.9
- django
- >5.1, <5.1.1 → Upgrade to 5.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2024-102
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-102.yaml
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://github.com/django/django/commit/022ab0a75c76ab2ea31dfcc5f2cf5501e378d397
- https://github.com/django/django/commit/d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2
- https://github.com/django/django
- https://github.com/django/django/commit/813de2672bd7361e9a453ab62cd6e52f96b6525b
- https://www.djangoproject.com/weblog/2024/sep/03/security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2024-45230
What are Similar Vulnerabilities to CVE-2024-45230?
Similar Vulnerabilities: CVE-2024-39614 , CVE-2023-5072 , CVE-2023-28155 , CVE-2022-25911 , CVE-2021-3918
