Inefficient Regular Expression Complexity
CVE-2024-27351
Summary
In Django through 3.2.24, 4.x.x through 4.2.10, and 5.x.x through 5.0.2, the "django.utils.text.Truncator.words()" method (with html=True) and the "truncatewords_html" template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: This issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
References
Advisory Timeline
- Published