CVE-2024-39317

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 5.2.6 Wagtail versions prior to 6.0.6 Wagtail versions prior to 6.1.3

Description A bug in Wagtail's parse query string function would result in it taking a long time to process suitably crafted inputs, leading to a denial of service. This issue can be exploited by any Wagtail admin user in an initial installation, but not by end users. However, if a custom search implementation uses parse query string, it may be exploitable by other users, such as unauthenticated users.

Recommendations For versions prior to 5.2.6, update to version 5.2.6 or later. For versions prior to 6.0.6, update to version 6.0.6 or later. For versions prior to 6.1.3, update to version 6.1.3 or later. As a temporary workaround for site owners who cannot upgrade, limit the length of search terms passed to parse query string to 1000 characters or less. Note that this workaround does not apply to Wagtail admin usage.