PT-2024-3887 · Django+6 · Django+6

Seokchan Yoon

·

Published

2024-03-04

·

Updated

2026-01-03

·

CVE-2024-27351

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Django versions 3.2 through 3.2.24 Django versions 4.2 through 4.2.10 Django versions 5.0 through 5.0.2
Description The issue is related to a potential regular expression denial-of-service in the django.utils.text.Truncator.words() method. This could allow a remote attacker to cause a denial-of-service. The truncatewords html template filter is also subject to this potential attack via a crafted string.
Recommendations For Django versions 3.2 through 3.2.24, update to version 3.2.25 or later. For Django versions 4.2 through 4.2.10, update to version 4.2.11 or later. For Django versions 5.0 through 5.0.2, update to version 5.0.3 or later. As a temporary workaround, consider disabling the django.utils.text.Truncator.words() method with html=True until a patch is available. Restrict access to the truncatewords html template filter to minimize the risk of exploitation.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

ALT-PU-2024-3676
ALT-PU-2024-4472
ALT-PU-2024-8036
ALT-PU-2025-10176
BDU:2024-04292
BIT-DJANGO-2024-27351
CVE-2024-27351
DLA-4210-1
GHSA-VM8Q-M57G-PFF3
MGASA-2024-0075
OESA-2024-1254
OPENSUSE-SU-2024:0077-1
OPENSUSE-SU-2024:0080-1
OPENSUSE-SU-2024:13749-1
OPENSUSE-SU-2024:14208-1
OPENSUSE-SU-2026:10005-1
PYSEC-2024-47
RHSA-2024:1640
RHSA-2024:1878
RHSA-2024:3781
RHSA-2024:5662
RHSA-2025:4187
SUSE-SU-2024:0874-1
SUSE-SU-2024:0875-1
SUSE-SU-2024:0902-1
SUSE-SU-2024:1140-1
SUSE-SU-2024:1141-1
USN-6674-1
USN-6674-2

Affected Products

Alt Linux
Astra Linux
Debian
Django
Linuxmint
Red Os
Ubuntu