Elias Myllymäki

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2 through 4.2.20 Django versions 5.1 through 5.1.8 Django versions 5.2 through 5.2.0 **Description** An issue was discovered in Django, where the `django.utils.html.strip tags()` function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter `striptags` is also vulnerable, because it is built on top of `strip tags()`. This issue can be exploited by attackers to crash servers via malformed HTML. **Recommendations** For Django versions 4.2 through 4.2.20, update to version 4.2.21 or later. For Django versions 5.1 through 5.1.8, update to version 5.1.9 or later. For Django versions 5.2 through 5.2.0, update to version 5.2.1 or later. As a temporary workaround, consider disabling the `strip tags()` function or restricting the use of the `striptags` template filter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2 through 4.2.14 Django versions 5.0 through 5.0.7 **Description** The issue is related to the `floatformat()` function in Django, which can lead to uncontrolled resource consumption. This can be exploited by a remote attacker to cause a denial of service. The `floatformat` template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. **Recommendations** For Django versions 4.2 through 4.2.14, update to version 4.2.15 or later. For Django versions 5.0 through 5.0.7, update to version 5.0.8 or later. As a temporary workaround, consider restricting the use of the `floatformat` template filter to minimize the risk of exploitation. Avoid using the `floatformat` filter with input strings that contain large exponents in scientific notation until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2 through 4.2.13 Django versions 5.0 through 5.0.6 **Description** The issue is related to a potential denial of service attack via certain inputs with a very large number of brackets in the `urlize` and `urlizetrunc` functions. This can cause uncontrolled resource consumption due to poor time complexity of `strip punctuation`. The vulnerability may allow a remote attacker to cause a denial of service. **Recommendations** For Django versions 4.2 through 4.2.13, update to version 4.2.14 or later. For Django versions 5.0 through 5.0.6, update to version 5.0.7 or later. As a temporary workaround, consider restricting the use of the `urlize` and `urlizetrunc` functions until a patch is available. Avoid using these functions with untrusted input to minimize the risk of exploitation.