Python/django/3.2.12

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

https://pypi.org/project/django
BSD-3-Clause AND BSD

10 Security Vulnerabilities

Django Denial of service vulnerability in django.utils.encoding.uri_to_iri

Published date: 2023-11-03T06:36:29Z
CVE: CVE-2023-41164
Links:

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uritoiri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

Affected versions: ["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.

Published date: 2025-11-05T15:31:07Z
CVE: CVE-2025-64459
Links:

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q(), are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Affected versions: ["1.10rc1", "1.11.12", "1.11.14", "1.11.18", "1.11.23", "1.11.8", "1.11.9", "1.11rc1", "1.2", "1.2.2", "1.3.4", "1.3.7", "1.4.22", "1.4.7", "1.4.8", "1.6.10", "1.7.10", "1.7.2", "1.8", "1.8.16", "1.8.18", "1.8.6", "1.8.9", "1.8a1", "1.8b1", "1.8c1", "1.9.11", "1.9.9", "2.1.1", "2.1.14", "2.1.4", "2.2.18", "3.0.7", "3.1.6", "1.0.1", "1.0.4", "1.10", "1.11.1", "1.11.22", "1.11.26", "1.11.27", "1.2.5", "1.4", "1.4.10", "1.4.12", "1.5.5", "1.5.6", "1.6.1", "1.6.3", "1.6.4", "1.6.6", "1.8.1", "1.8.10", "1.8.13", "1.8.15", "1.8.2", "1.9", "1.9rc2", "2.0", "2.0.1", "2.0.4", "2.0a1", "2.1.3", "2.2.12", "3.0.1", "3.0.14", "3.0.3", "3.0.8", "3.2", "1.0.3", "1.10b1", "1.11.15", "1.11.24", "1.2.4", "1.4.16", "1.4.17", "1.7.11", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8.17", "1.8.5", "1.8b2", "1.9.8", "2.0.3", "2.0.5", "2.1.2", "2.1.8", "2.1a1", "2.2.17", "3.0.4", "3.0.6", "3.0.9", "3.1a1", "3.1rc1", "1.0.2", "1.1.3", "1.1.4", "1.10.1", "1.11.3", "1.2.6", "1.3", "1.4.19", "1.5.1", "1.5.3", "1.5.7", "1.6", "1.6.11", "1.9.1", "1.9b1", "2.1.13", "2.1.15", "2.2.9", "3.0.10", "3.0.11", "3.1.7", "3.1.8", "3.2rc1", "1.10.5", "1.10.8", "1.10a1", "1.11", "1.11.2", "1.11.20", "1.11.25", "1.11.4", "1.11.5", "1.2.7", "1.4.11", "1.4.13", "1.4.3", "1.4.9", "1.5.12", "1.5.2", "1.6.5", "1.6.8", "1.7.1", "1.1.2", "1.10.4", "1.10.6", "1.11.29", "1.3.5", "1.4.14", "1.4.18", "1.4.20", "1.4.5", "1.5.10", "1.6.7", "1.7.3", "1.7.4", "1.8.11", "1.1.1", "1.10.2", "1.11.10", "1.11.11", "1.11.16", "1.11.17", "1.11.7", "1.3.3", "1.3.6", "1.4.15", "1.4.21", "1.5.4", "1.6.2", "1.6.9", "1.1", "1.10.3", "1.10.7", "1.11.13", "1.11.21", "1.11.28", "1.11.6", "1.11a1", "1.11b1", "1.2.1", "1.2.3", "1.3.1", "1.3.2", "1.4.1", "1.4.2", "1.4.4", "1.4.6", "1.5", "1.5.11", "1.5.8", "1.5.9", "1.7", "1.7.5", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "2.0.12", "2.0.7", "2.1.9", "2.2.11", "2.2.15", "2.2.2", "3.0", "3.0.5", "3.1", "3.1.2", "3.1.4", "1.8.12", "1.8.19", "1.8.7", "1.8.8", "1.9.10", "1.9.12", "1.9.5", "1.9rc1", "2.0.8", "2.0.9", "2.0b1", "2.1", "2.1.5", "2.2.10", "2.2.16", "2.2.19", "2.2.20", "2.2.6", "2.2.8", "3.0.13", "3.0b1", "3.1.5", "3.2a1", "1.8.14", "1.8.4", "2.0.13", "2.0.2", "2.0.6", "2.0rc1", "2.1.10", "2.1.7", "2.1b1", "2.2", "2.2rc1", "3.0.12", "3.0a1", "3.1.1", "3.1.3", "1.8.3", "1.9.6", "1.9.7", "1.9a1", "2.0.10", "2.1.11", "2.1.12", "2.1rc1", "2.2.1", "2.2.13", "2.2.14", "2.2.3", "2.2.4", "2.2.5", "2.2.7", "2.2a1", "2.2b1", "3.0.2", "3.0rc1", "3.1b1", "3.2b1", "3.1.9", "2.2.21", "3.2.1", "2.2.22", "3.1.10", "3.2.2", "3.1.11", "3.2.3", "2.2.23", "3.1.12", "2.2.24", "3.2.4", "3.1.13", "3.2.5", "3.2.6", "3.2.7", "4.0a1", "3.2.8", "4.0b1", "3.2.9", "4.0rc1", "2.2.25", "3.2.10", "3.1.14", "4.0", "3.2.11", "4.0.1", "2.2.26", "2.2.27", "3.2.12", "4.0.2", "4.0.3", "3.2.13", "4.0.4", "2.2.28", "4.1a1", "4.0.5", "4.1b1", "3.2.14", "4.0.6", "4.1rc1", "3.2.15", "4.0.7", "4.1", "4.1.1", "3.2.16", "4.0.8", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.2a1", "4.1.6", "3.2.17", "4.0.9", "4.0.10", "3.2.18", "4.1.7", "4.2b1", "4.2rc1", "4.2", "4.1.8", "4.1.9", "3.2.19", "4.2.1", "4.2.2", "3.2.20", "4.1.10", "4.2.3", "4.2.4", "3.2.21", "4.1.11", "4.2.5", "3.2.22", "4.1.12", "4.2.6", "3.2.23", "4.1.13", "4.2.7", "4.2.8", "4.2.9", "3.2.24", "4.2.10", "3.2.25", "4.2.11", "4.2.12", "4.2.13", "4.2.14", "4.2.15", "4.2.16", "4.2.17", "4.2.18", "4.2.19", "4.2.20", "4.2.21", "4.2.22", "4.2.23", "4.2.24", "4.2.25", "5.0a1", "5.0b1", "5.0rc1", "5.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.0.5", "5.0.6", "5.1a1", "5.1b1", "5.0.7", "5.1rc1", "5.0.8", "5.1", "5.1.1", "5.0.9", "5.1.2", "5.1.3", "5.0.10", "5.1.4", "5.0.11", "5.1.5", "5.0.12", "5.1.6", "5.1.7", "5.0.13", "5.1.8", "5.0.14", "5.1.9", "5.1.10", "5.1.11", "5.1.12", "5.1.13", "5.2a1", "5.2b1", "5.2rc1", "5.2", "5.2.1", "5.2.2", "5.2.3", "5.2.4", "5.2.5", "5.2.6", "5.2.7"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Django Denial-of-service in django.utils.text.Truncator

Published date: 2023-11-03T06:36:30Z
CVE: CVE-2023-43665
Links:

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatecharshtml and truncatewordshtml template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

Affected versions: ["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Django has regular expression denial of service vulnerability in EmailValidator/URLValidator

Published date: 2023-07-03T15:30:45Z
CVE: CVE-2023-36053
Links:

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

Affected versions: ["3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.1a1", "4.0.5", "4.1b1", "4.0.6", "4.1rc1", "4.0.7", "4.1", "4.1.1", "4.0.8", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.0.9", "4.1.6", "4.0.10", "4.1.7", "4.1.8", "4.1.9", "4.2", "4.2.1", "4.2.2"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection

Published date: 2022-07-05T00:00:53Z
CVE: CVE-2022-34265
Links:

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Affected versions: ["4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Django contains Uncontrolled Resource Consumption via cached header

Published date: 2023-02-01T21:30:23Z
CVE: CVE-2023-23969
Links:

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

Affected versions: ["4.0b1", "4.0rc1", "4.1a1", "4.1b1", "4.1rc1", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.0a1", "4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "3.2", "3.1rc1", "3.2rc1", "3.0b1", "3.2a1", "3.0rc1", "3.1b1", "3.2b1", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Django potential denial of service vulnerability in UsernameField on Windows

Published date: 2023-11-02T06:30:25Z
CVE: CVE-2023-46695
Links:

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

Affected versions: ["4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.1", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.1.10", "4.1.11", "4.1.12", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Django denial-of-service vulnerability in internationalized URLs

Published date: 2022-10-16T12:00:23Z
CVE: CVE-2022-41323
Links:

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

Affected versions: ["4.1", "4.1.1", "4.0", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

Published date: 2025-11-05T15:31:07Z
CVE: CVE-2025-64458
Links:

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, django.http.HttpResponseRedirect, django.http.HttpResponsePermanentRedirect, and the shortcut django.shortcuts.redirect were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Affected versions: ["1.10rc1", "1.11.12", "1.11.14", "1.11.18", "1.11.23", "1.11.8", "1.11.9", "1.11rc1", "1.2", "1.2.2", "1.3.4", "1.3.7", "1.4.22", "1.4.7", "1.4.8", "1.6.10", "1.7.10", "1.7.2", "1.8", "1.8.16", "1.8.18", "1.8.6", "1.8.9", "1.8a1", "1.8b1", "1.8c1", "1.9.11", "1.9.9", "2.1.1", "2.1.14", "2.1.4", "2.2.18", "3.0.7", "3.1.6", "1.0.1", "1.0.4", "1.10", "1.11.1", "1.11.22", "1.11.26", "1.11.27", "1.2.5", "1.4", "1.4.10", "1.4.12", "1.5.5", "1.5.6", "1.6.1", "1.6.3", "1.6.4", "1.6.6", "1.8.1", "1.8.10", "1.8.13", "1.8.15", "1.8.2", "1.9", "1.9rc2", "2.0", "2.0.1", "2.0.4", "2.0a1", "2.1.3", "2.2.12", "3.0.1", "3.0.14", "3.0.3", "3.0.8", "3.2", "1.0.3", "1.10b1", "1.11.15", "1.11.24", "1.2.4", "1.4.16", "1.4.17", "1.7.11", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8.17", "1.8.5", "1.8b2", "1.9.8", "2.0.3", "2.0.5", "2.1.2", "2.1.8", "2.1a1", "2.2.17", "3.0.4", "3.0.6", "3.0.9", "3.1a1", "3.1rc1", "1.0.2", "1.1.3", "1.1.4", "1.10.1", "1.11.3", "1.2.6", "1.3", "1.4.19", "1.5.1", "1.5.3", "1.5.7", "1.6", "1.6.11", "1.9.1", "1.9b1", "2.1.13", "2.1.15", "2.2.9", "3.0.10", "3.0.11", "3.1.7", "3.1.8", "3.2rc1", "1.10.5", "1.10.8", "1.10a1", "1.11", "1.11.2", "1.11.20", "1.11.25", "1.11.4", "1.11.5", "1.2.7", "1.4.11", "1.4.13", "1.4.3", "1.4.9", "1.5.12", "1.5.2", "1.6.5", "1.6.8", "1.7.1", "1.1.2", "1.10.4", "1.10.6", "1.11.29", "1.3.5", "1.4.14", "1.4.18", "1.4.20", "1.4.5", "1.5.10", "1.6.7", "1.7.3", "1.7.4", "1.8.11", "1.1.1", "1.10.2", "1.11.10", "1.11.11", "1.11.16", "1.11.17", "1.11.7", "1.3.3", "1.3.6", "1.4.15", "1.4.21", "1.5.4", "1.6.2", "1.6.9", "1.1", "1.10.3", "1.10.7", "1.11.13", "1.11.21", "1.11.28", "1.11.6", "1.11a1", "1.11b1", "1.2.1", "1.2.3", "1.3.1", "1.3.2", "1.4.1", "1.4.2", "1.4.4", "1.4.6", "1.5", "1.5.11", "1.5.8", "1.5.9", "1.7", "1.7.5", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "2.0.12", "2.0.7", "2.1.9", "2.2.11", "2.2.15", "2.2.2", "3.0", "3.0.5", "3.1", "3.1.2", "3.1.4", "1.8.12", "1.8.19", "1.8.7", "1.8.8", "1.9.10", "1.9.12", "1.9.5", "1.9rc1", "2.0.8", "2.0.9", "2.0b1", "2.1", "2.1.5", "2.2.10", "2.2.16", "2.2.19", "2.2.20", "2.2.6", "2.2.8", "3.0.13", "3.0b1", "3.1.5", "3.2a1", "1.8.14", "1.8.4", "2.0.13", "2.0.2", "2.0.6", "2.0rc1", "2.1.10", "2.1.7", "2.1b1", "2.2", "2.2rc1", "3.0.12", "3.0a1", "3.1.1", "3.1.3", "1.8.3", "1.9.6", "1.9.7", "1.9a1", "2.0.10", "2.1.11", "2.1.12", "2.1rc1", "2.2.1", "2.2.13", "2.2.14", "2.2.3", "2.2.4", "2.2.5", "2.2.7", "2.2a1", "2.2b1", "3.0.2", "3.0rc1", "3.1b1", "3.2b1", "3.1.9", "2.2.21", "3.2.1", "2.2.22", "3.1.10", "3.2.2", "3.1.11", "3.2.3", "2.2.23", "3.1.12", "2.2.24", "3.2.4", "3.1.13", "3.2.5", "3.2.6", "3.2.7", "4.0a1", "3.2.8", "4.0b1", "3.2.9", "4.0rc1", "2.2.25", "3.2.10", "3.1.14", "4.0", "3.2.11", "4.0.1", "2.2.26", "2.2.27", "3.2.12", "4.0.2", "4.0.3", "3.2.13", "4.0.4", "2.2.28", "4.1a1", "4.0.5", "4.1b1", "3.2.14", "4.0.6", "4.1rc1", "3.2.15", "4.0.7", "4.1", "4.1.1", "3.2.16", "4.0.8", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.2a1", "4.1.6", "3.2.17", "4.0.9", "4.0.10", "3.2.18", "4.1.7", "4.2b1", "4.2rc1", "4.2", "4.1.8", "4.1.9", "3.2.19", "4.2.1", "4.2.2", "3.2.20", "4.1.10", "4.2.3", "4.2.4", "3.2.21", "4.1.11", "4.2.5", "3.2.22", "4.1.12", "4.2.6", "3.2.23", "4.1.13", "4.2.7", "4.2.8", "4.2.9", "3.2.24", "4.2.10", "3.2.25", "4.2.11", "4.2.12", "4.2.13", "4.2.14", "4.2.15", "4.2.16", "4.2.17", "4.2.18", "4.2.19", "4.2.20", "4.2.21", "4.2.22", "4.2.23", "4.2.24", "4.2.25", "5.0a1", "5.0b1", "5.0rc1", "5.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.0.5", "5.0.6", "5.1a1", "5.1b1", "5.0.7", "5.1rc1", "5.0.8", "5.1", "5.1.1", "5.0.9", "5.1.2", "5.1.3", "5.0.10", "5.1.4", "5.0.11", "5.1.5", "5.0.12", "5.1.6", "5.1.7", "5.0.13", "5.1.8", "5.0.14", "5.1.9", "5.1.10", "5.1.11", "5.1.12", "5.1.13", "5.2a1", "5.2b1", "5.2rc1", "5.2", "5.2.1", "5.2.2", "5.2.3", "5.2.4", "5.2.5", "5.2.6", "5.2.7"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

Regular expression denial-of-service in Django

Published date: 2024-03-15T21:30:43Z
CVE: CVE-2024-27351
Links:

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

Affected versions: ["5.0", "5.0.1", "5.0.2", "4.2", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.2.10", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.2.6", "3.2.7", "3.2.8", "3.2.9", "3.2.10", "3.2.11", "3.2.12", "3.2.13", "3.2.14", "3.2.15", "3.2.16", "3.2.17", "3.2.18", "3.2.19", "3.2.20", "3.2.21", "3.2.22", "3.2.23", "3.2.24"]
Secure versions: [4.2.26, 4.2.27, 5.1.14, 5.1.15, 5.2.8, 5.2.9, 6.0, 6.0a1, 6.0b1, 6.0rc1]
Recommendation: Update to version 6.0.

418 Other Versions

Version License Security Released
3.0 BSD 9 2019-12-02 - 11:13 about 6 years
2.2.28 BSD 2 2022-04-11 - 07:52 over 3 years
2.2.27 BSD 2 2022-02-01 - 07:56 almost 4 years
2.2.26 BSD 4 2022-01-04 - 09:53 almost 4 years
2.2.25 BSD 4 2021-12-07 - 07:34 about 4 years
2.2.24 BSD 4 2021-06-02 - 08:53 over 4 years
2.2.23 BSD 6 2021-05-13 - 07:36 over 4 years
2.2.22 BSD 6 2021-05-06 - 07:40 over 4 years
2.2.21 BSD 6 2021-05-04 - 08:47 over 4 years
2.2.20 BSD 6 2021-04-06 - 07:34 over 4 years
2.2.19 BSD 6 2021-02-19 - 09:07 almost 5 years
2.2.18 BSD 6 2021-02-01 - 09:28 almost 5 years
2.2.17 BSD 7 2020-11-02 - 08:12 about 5 years
2.2.16 BSD 7 2020-09-01 - 09:14 over 5 years
2.2.15 BSD 9 2020-08-03 - 07:23 over 5 years
2.2.14 BSD 9 2020-07-01 - 04:49 over 5 years
2.2.13 BSD 9 2020-06-03 - 09:36 over 5 years
2.2.12 BSD 11 2020-04-01 - 07:59 over 5 years
2.2.11 BSD 11 2020-03-04 - 09:31 almost 6 years
2.2.10 BSD 12 2020-02-03 - 09:50 almost 6 years
2.2.9 BSD 12 2019-12-18 - 08:59 about 6 years
2.2.8 BSD 12 2019-12-02 - 08:57 about 6 years
2.2.7 BSD 13 2019-11-04 - 08:33 about 6 years
2.2.6 BSD 13 2019-10-01 - 08:36 about 6 years
2.2.5 BSD 13 2019-09-02 - 07:18 over 6 years
2.2.4 BSD 13 2019-08-01 - 09:04 over 6 years
2.2.3 BSD 17 2019-07-01 - 07:19 over 6 years
2.2.2 BSD 18 2019-06-03 - 10:11 over 6 years
2.2.1 BSD 20 2019-05-01 - 06:57 over 6 years
2.2 BSD 20 2019-04-01 - 12:47 over 6 years
2.1.15 BSD 4 2019-12-02 - 08:57 about 6 years
2.1.14 BSD 5 2019-11-04 - 08:33 about 6 years
2.1.13 BSD 5 2019-10-01 - 08:36 about 6 years
2.1.12 BSD 5 2019-09-02 - 07:18 over 6 years
2.1.11 BSD 5 2019-08-01 - 09:04 over 6 years
2.1.10 BSD 9 2019-07-01 - 07:19 over 6 years
2.1.9 BSD 10 2019-06-03 - 10:11 over 6 years
2.1.8 BSD 12 2019-04-01 - 09:18 over 6 years
2.1.7 BSD 12 2019-02-11 - 15:10 almost 7 years
2.1.5 BSD 13 2019-01-04 - 13:52 almost 7 years
2.1.4 BSD 14 2018-12-03 - 17:02 about 7 years
2.1.3 BSD 14 2018-11-01 - 14:36 about 7 years
2.1.2 BSD 14 2018-10-01 - 09:22 about 7 years
2.1.1 BSD 15 2018-08-31 - 08:42 over 7 years
2.1 BSD 15 2018-08-01 - 14:11 over 7 years
2.0.13 BSD 5 2019-02-12 - 10:50 almost 7 years
2.0.12 BSD 5 2019-02-11 - 15:10 almost 7 years
2.0.10 BSD 6 2019-01-04 - 14:03 almost 7 years
2.0.9 BSD 7 2018-10-01 - 09:22 about 7 years
2.0.8 BSD 7 2018-08-01 - 13:51 over 7 years