CVE-2025-32873

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/may/07/security-releases/
http://www.openwall.com/lists/oss-security/2025/05/07/1

Configurations

No configuration.

History

08 May 2025, 14:39

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en Django 4.2 (anterior a 4.2.21), 5.1 (anterior a 5.1.9) y 5.2 (anterior a 5.2.1). La función django.utils.html.strip_tags() es vulnerable a una posible denegación de servicio (rendimiento lento) al procesar entradas que contienen grandes secuencias de etiquetas HTML incompletas. El filtro de plantilla striptags también es vulnerable, ya que está basado en strip_tags().

08 May 2025, 04:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-08 04:17

Updated : 2025-05-08 14:39

NVD link : CVE-2025-32873

Mitre link : CVE-2025-32873

CVE.ORG link : CVE-2025-32873

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

5.3 /10