[manjaro-security] [ASA-202505-10] python-django: denial of service
Andrea Denisse
denisse at archlinux.org
Tue May 20 21:17:07 CEST 2025
Arch Linux Security Advisory ASA-202505-10
==========================================
Severity: Medium
Date : 2025-05-19
CVE-ID : CVE-2025-32873
Package : python-django
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-2876
Summary
=======
The package python-django before version 5.1.9-1 is vulnerable to
denial of service.
Resolution
==========
Upgrade to 5.1.9-1.
# pacman -Syu "python-django>=5.1.9-1"
The problem has been fixed upstream in version 5.1.9.
Workaround
==========
None.
Description
===========
django.utils.html.strip_tags() would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is
used to implement the striptags template filter, which was thus also
vulnerable. django.utils.html.strip_tags() now raises a
SuspiciousOperation exception if it encounters an unusually large
number of unclosed opening tags.
Impact
======
A remote attacker can exploit inefficient HTML tag parsing in Django’s
strip_tags() function to cause excessive CPU usage, leading to a denial
of service. This may affect applications that use the striptags
template filter to sanitize user-controlled input, making them
vulnerable to slowdown or unresponsiveness when handling specially
crafted HTML content.
References
==========
https://www.djangoproject.com/weblog/2025/may/07/security-releases/
https://security.archlinux.org/CVE-2025-32873
More information about the manjaro-security
mailing list