CVE-2020-15225

Name of the Vulnerable Software and Affected Versions django-filter versions prior to 2.4.0

Description The issue concerns automatically generated NumberFilter instances in django-filter, which are subject to potential Denial of Service (DoS) attacks from malicious input using exponential format with sufficiently large exponents. This occurs when the value is later converted to an integer. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 2.4.0, consider upgrading to version 2.4.0 or later, which applies a MaxValueValidator with a default limit value of 1e50 to the form field used by NumberFilter instances. As a temporary workaround, users may manually apply an equivalent validator if they are not able to upgrade. Additionally, NumberFilter implements the new get max validator() which should return a configured validator instance to customise the limit, or else None to disable the additional validation.