CVE-2025-32873
Denial-of-Service (DoS) vulnerability in django (PyPI)
What is CVE-2025-32873 About?
This Denial-of-Service (DoS) vulnerability in Django's `strip_tags()` function can be triggered by processing large sequences of incomplete HTML tags. This leads to slow performance and resource exhaustion, impacting application availability. Exploitation is achieved by providing specific malformed input.
Affected Software
- django
- >5.2, <5.2.1
- >4.2, <4.2.21
- >5.1, <5.1.9
Technical Details
The vulnerability affects django.utils.html.strip_tags() and the striptags template filter in Django versions 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The issue arises when the function attempts to process input strings containing a large number of incomplete HTML tags. The stripping logic, designed to parse and remove tags, enters a highly inefficient state or a catastrophic backtracking-like scenario when encountering many unbalanced or malformed tags in quick succession. This causes the function to consume excessive CPU cycles and memory, leading to a significant performance degradation or a complete denial-of-service for the application processing this input.
What is the Impact of CVE-2025-32873?
Successful exploitation may allow attackers to cause a denial of service, leading to service unavailability, resource exhaustion, and degraded performance of applications using the affected function.
What is the Exploitability of CVE-2025-32873?
Exploitation is of low to medium complexity, requiring an attacker to provide input containing a large sequence of carefully crafted, incomplete HTML tags. No authentication or specific privileges are typically necessary if the input field processed by strip_tags() is accessible to unauthenticated users. This attack can be remote, as it involves sending malformed data to a web application. The primary condition is that the application uses django.utils.html.strip_tags() or the striptags template filter on user-controlled input. The risk of exploitation is increased if the application widely uses these functions on untrusted textual content, making it a viable target for resource exhaustion attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Apollo-R3bot | Link | Django Security Issue (CVE-2025-32873) |
What are the Available Fixes for CVE-2025-32873?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.21 → Upgrade to 4.2.21
- django
- >5.1, <5.1.9 → Upgrade to 5.1.9
- django
- >5.2, <5.2.1 → Upgrade to 5.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/django/django/commit/9f3419b519799d69f2aba70b9d25abe2e70d03e0
- http://www.openwall.com/lists/oss-security/2025/05/07/1
- https://osv.dev/vulnerability/GHSA-8j24-cjrq-gr2m
- https://www.djangoproject.com/weblog/2025/may/07/security-releases/
- https://github.com/django/django
- https://www.djangoproject.com/weblog/2025/may/07/security-releases
- https://osv.dev/vulnerability/PYSEC-2025-37
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-37.yaml
- https://groups.google.com/g/django-announce
- https://groups.google.com/g/django-announce
What are Similar Vulnerabilities to CVE-2025-32873?
Similar Vulnerabilities: CVE-2021-39327 , CVE-2020-7613 , CVE-2018-9171 , CVE-2017-1000378 , CVE-2016-1000109
