CVE-2023-43665

Name of the Vulnerable Software and Affected Versions Django versions 3.2 before 3.2.22 Django versions 4.1 before 4.1.12 Django versions 4.2 before 4.2.6

Description The issue is related to the django.utils.text.Truncator chars() and words() methods when used with html=True, which can be subject to a potential denial of service attack via certain inputs with very long, potentially malformed HTML text. This can allow a remote attacker to cause a denial of service under certain conditions. The chars() and words() methods are used to implement the truncatechars html and truncatewords html template filters, which are also vulnerable.

Recommendations For Django versions 3.2 before 3.2.22, update to version 3.2.22 or later. For Django versions 4.1 before 4.1.12, update to version 4.1.12 or later. For Django versions 4.2 before 4.2.6, update to version 4.2.6 or later. As a temporary workaround, consider disabling the truncatechars html and truncatewords html template filters until a patch is available. Restrict access to the django.utils.text.Truncator methods to minimize the risk of exploitation. Avoid using the html=True parameter in the affected methods until the issue is resolved.