CVE-2019-14232

Name of the Vulnerable Software and Affected Versions Django versions 1.11.x through 1.11.22 Django versions 2.1.x through 2.1.10 Django versions 2.2.x through 2.2.3

Description The issue is related to the django.utils.text.Truncator class, specifically the chars() and words() methods. When these methods are passed the html=True argument, they can be extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. This vulnerability can be exploited to cause a denial of service. The chars() and words() methods are used to implement the truncatechars html and truncatewords html template filters.

Recommendations For Django versions 1.11.x through 1.11.22, update to version 1.11.23 or later. For Django versions 2.1.x through 2.1.10, update to version 2.1.11 or later. For Django versions 2.2.x through 2.2.3, update to version 2.2.4 or later. As a temporary workaround, consider avoiding the use of the html=True argument in the chars() and words() methods until a patch is available.