Skip to main content

Inefficient Regular Expression Complexity

CVE-2024-27351

Severity High
Score 7.5/10

Summary

In Django through 3.2.24, 4.x.x through 4.2.10, and 5.x.x through 5.0.2, the "django.utils.text.Truncator.words()" method (with html=True) and the "truncatewords_html" template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: This issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Advisory Timeline

  • Published