PT-2024-9682 · Django+7 · Django+7

Jiangniao

·

Published

2024-11-28

·

Updated

2026-02-06

·

CVE-2024-53907

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.16 Django versions 5.0 through 5.0.9 Django versions 5.1 through 5.1.3
Description The issue is related to the strip tags() method and the striptags template filter in Django, which are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. This could allow a remote attacker to cause a denial-of-service by sending specially crafted HTML entities. The vulnerability is related to unlimited resource allocation due to incorrect HTML character escaping.
Recommendations For Django versions 4.2 through 4.2.16, update to version 4.2.17 or later. For Django versions 5.0 through 5.0.9, update to version 5.0.10 or later. For Django versions 5.1 through 5.1.3, update to version 5.1.4 or later. As a temporary workaround, consider disabling the strip tags() function and the striptags template filter until a patch is available.

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALT-PU-2024-17274
ALT-PU-2025-10176
BDU:2024-11394
BIT-DJANGO-2024-53907
CVE-2024-53907
DLA-4006-1
GHSA-8498-2H75-472J
MGASA-2025-0039
OESA-2024-2539
OESA-2024-2540
OESA-2024-2541
OESA-2024-2542
OESA-2024-2543
OPENSUSE-SU-2024:0408-1
OPENSUSE-SU-2024:14565-1
OPENSUSE-SU-2024:14568-1
OPENSUSE-SU-2024_4285-1
OPENSUSE-SU-2026:10005-1
PYSEC-2024-156
RHSA-2025:0340
RHSA-2025:0777
SUSE-SU-2024:4285-1
USN-7136-1
USN-7136-2

Affected Products

Alt Linux
Astra Linux
Debian
Django
Linuxmint
Red Os
Suse
Ubuntu