Search criteria
131 vulnerabilities by djangoproject
CVE-2025-64460 (GCVE-0-2025-64460)
Vulnerability from cvelistv5 – Published: 2025-12-02 15:15 – Updated: 2025-12-02 21:54
VLAI?
Summary
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Severity ?
No CVSS data available.
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
5.2 , < 5.2.9
(semver)
Unaffected: 5.2.9 (semver) Affected: 5.1 , < 5.1.15 (semver) Unaffected: 5.1.15 (semver) Affected: 4.2 , < 4.2.27 (semver) Unaffected: 4.2.27 (semver) |
Credits
Seokchan Yoon
Shai Berger
Natalia Bidart
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T21:53:53.299074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T21:54:23.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.2.9",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.2.9",
"versionType": "semver"
},
{
"lessThan": "5.1.15",
"status": "affected",
"version": "5.1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.1.15",
"versionType": "semver"
},
{
"lessThan": "4.2.27",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.27",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Seokchan Yoon"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Shai Berger"
},
{
"lang": "en",
"type": "coordinator",
"value": "Natalia Bidart"
}
],
"datePublic": "2025-12-02T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\u003c/p\u003e\u003cp\u003eAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\nAlgorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130: Excessive Allocation"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "moderate"
},
"type": "Django severity rating"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T15:15:34.451Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 5.2.9, 5.1.15, and 4.2.27",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-03T00:00:00+00:00",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2025-10-03T00:00:00+00:00",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2025-12-02T14:00:00+00:00",
"value": "Security release issued."
}
],
"title": "Potential denial-of-service vulnerability in XML serializer text extraction",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2025-64460",
"datePublished": "2025-12-02T15:15:34.451Z",
"dateReserved": "2025-11-04T14:35:57.527Z",
"dateUpdated": "2025-12-02T21:54:23.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13372 (GCVE-0-2025-13372)
Vulnerability from cvelistv5 – Published: 2025-12-02 15:13 – Updated: 2025-12-02 15:43
VLAI?
Summary
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.
`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
Severity ?
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
5.2 , < 5.2.9
(semver)
Unaffected: 5.2.9 (semver) Affected: 5.1 , < 5.1.15 (semver) Unaffected: 5.1.15 (semver) Affected: 4.2 , < 4.2.27 (semver) Unaffected: 4.2.27 (semver) |
Credits
Stackered
Jacob Walls
Natalia Bidart
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T15:43:29.673288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T15:43:47.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.2.9",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.2.9",
"versionType": "semver"
},
{
"lessThan": "5.1.15",
"status": "affected",
"version": "5.1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.1.15",
"versionType": "semver"
},
{
"lessThan": "4.2.27",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.27",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stackered"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jacob Walls"
},
{
"lang": "en",
"type": "coordinator",
"value": "Natalia Bidart"
}
],
"datePublic": "2025-12-02T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\u003c/p\u003e\u003cp\u003e`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Stackered for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27.\n`FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Stackered for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66: SQL Injection"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "high"
},
"type": "Django severity rating"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T15:13:35.692Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 5.2.9, 5.1.15, and 4.2.27",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2025/dec/02/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-11-09T00:00:00+00:00",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2025-11-18T00:00:00+00:00",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2025-12-02T14:00:00+00:00",
"value": "Security release issued."
}
],
"title": "Potential SQL injection in FilteredRelation column aliases on PostgreSQL",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2025-13372",
"datePublished": "2025-12-02T15:13:35.692Z",
"dateReserved": "2025-11-18T18:34:58.688Z",
"dateUpdated": "2025-12-02T15:43:47.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64459 (GCVE-0-2025-64459)
Vulnerability from cvelistv5 – Published: 2025-11-05 15:09 – Updated: 2025-11-08 12:49
VLAI?
Summary
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Severity ?
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
5.2 , < 5.2.8
(semver)
Unaffected: 5.2.8 (semver) Affected: 5.1 , < 5.1.14 (semver) Unaffected: 5.1.14 (semver) Affected: 4.2 , < 4.2.26 (semver) Unaffected: 4.2.26 (semver) |
Credits
cyberstan
Jacob Walls
Natalia Bidart
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T04:55:35.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-08T12:49:45.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.2.8",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.2.8",
"versionType": "semver"
},
{
"lessThan": "5.1.14",
"status": "affected",
"version": "5.1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.1.14",
"versionType": "semver"
},
{
"lessThan": "4.2.26",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.26",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "cyberstan"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jacob Walls"
},
{
"lang": "en",
"type": "coordinator",
"value": "Natalia Bidart"
}
],
"datePublic": "2025-11-05T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\u003c/p\u003e\u003cp\u003eThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank cyberstan for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nThe methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank cyberstan for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "high"
},
"type": "Django severity rating"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T15:09:58.239Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 5.2.8, 5.1.14, and 4.2.26",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2025/nov/05/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-20T00:00:00+00:00",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2025-10-20T00:00:00+00:00",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2025-11-05T14:00:00+00:00",
"value": "Security release issued."
}
],
"title": "Potential SQL injection via _connector keyword argument in QuerySet and Q objects",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2025-64459",
"datePublished": "2025-11-05T15:09:58.239Z",
"dateReserved": "2025-11-04T14:35:57.527Z",
"dateUpdated": "2025-11-08T12:49:45.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64458 (GCVE-0-2025-64458)
Vulnerability from cvelistv5 – Published: 2025-11-05 15:07 – Updated: 2025-11-05 16:20
VLAI?
Summary
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Severity ?
No CVSS data available.
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
5.2 , < 5.2.8
(semver)
Unaffected: 5.2.8 (semver) Affected: 5.1 , < 5.1.14 (semver) Unaffected: 5.1.14 (semver) Affected: 4.2 , < 4.2.26 (semver) Unaffected: 4.2.26 (semver) |
Credits
Seokchan Yoon
Jacob Walls
Natalia Bidart
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64458",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T16:20:23.751041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T16:20:57.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/Django/",
"defaultStatus": "unaffected",
"packageName": "django",
"product": "Django",
"repo": "https://github.com/django/django/",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.2.8",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.2.8",
"versionType": "semver"
},
{
"lessThan": "5.1.14",
"status": "affected",
"version": "5.1",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "5.1.14",
"versionType": "semver"
},
{
"lessThan": "4.2.26",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.2.26",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Seokchan Yoon"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jacob Walls"
},
{
"lang": "en",
"type": "coordinator",
"value": "Natalia Bidart"
}
],
"datePublic": "2025-11-05T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\u003c/p\u003e\u003cp\u003eNFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.\u003c/p\u003e\u003cp\u003eEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\u003c/p\u003e\u003cp\u003eDjango would like to thank Seokchan Yoon for reporting this issue.\u003c/p\u003e"
}
],
"value": "An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.\nNFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.\nEarlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\nDjango would like to thank Seokchan Yoon for reporting this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130: Excessive Allocation"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://docs.djangoproject.com/en/dev/internals/security/#security-issue-severity-levels",
"value": "moderate"
},
"type": "Django severity rating"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T15:07:17.031Z",
"orgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"shortName": "DSF"
},
"references": [
{
"name": "Django security archive",
"tags": [
"vendor-advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "Django releases announcements",
"tags": [
"mailing-list"
],
"url": "https://groups.google.com/g/django-announce"
},
{
"name": "Django security releases issued: 5.2.8, 5.1.14, and 4.2.26",
"tags": [
"vendor-advisory"
],
"url": "https://www.djangoproject.com/weblog/2025/nov/05/security-releases/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-02T00:00:00+00:00",
"value": "Initial report received."
},
{
"lang": "en",
"time": "2025-10-09T00:00:00+00:00",
"value": "Vulnerability confirmed."
},
{
"lang": "en",
"time": "2025-11-05T14:00:00+00:00",
"value": "Security release issued."
}
],
"title": "Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6a34fbeb-21d4-45e7-8e0a-62b95bc12c92",
"assignerShortName": "DSF",
"cveId": "CVE-2025-64458",
"datePublished": "2025-11-05T15:07:17.031Z",
"dateReserved": "2025-11-04T14:35:57.526Z",
"dateUpdated": "2025-11-05T16:20:57.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59681 (GCVE-0-2025-59681)
Vulnerability from cvelistv5 – Published: 2025-10-01 00:00 – Updated: 2025-11-04 21:13
VLAI?
Summary
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).
Severity ?
7.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
4.2 , < 4.2.25
(custom)
Affected: 5.1 , < 5.1.13 (custom) Affected: 5.2 , < 5.2.7 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:12:04.911087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:12:14.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:55.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.25",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.1.13",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.2.7",
"status": "affected",
"version": "5.2",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.25",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T18:47:07.600Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/oct/01/security-releases/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-59681",
"datePublished": "2025-10-01T00:00:00.000Z",
"dateReserved": "2025-09-18T00:00:00.000Z",
"dateUpdated": "2025-11-04T21:13:55.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59682 (GCVE-0-2025-59682)
Vulnerability from cvelistv5 – Published: 2025-10-01 00:00 – Updated: 2025-11-04 21:13
VLAI?
Summary
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Severity ?
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
4.2 , < 4.2.25
(custom)
Affected: 5.1 , < 5.1.13 (custom) Affected: 5.2 , < 5.2.7 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:10:29.537724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:10:39.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:56.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.25",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.1.13",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.2.7",
"status": "affected",
"version": "5.2",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.25",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the \"startapp --template\" and \"startproject --template\" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T18:51:53.204Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/oct/01/security-releases/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-59682",
"datePublished": "2025-10-01T00:00:00.000Z",
"dateReserved": "2025-09-18T00:00:00.000Z",
"dateUpdated": "2025-11-04T21:13:56.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57833 (GCVE-0-2025-57833)
Vulnerability from cvelistv5 – Published: 2025-09-03 00:00 – Updated: 2025-11-04 21:13
VLAI?
Summary
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Severity ?
7.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
4.2 , < 4.2.24
(custom)
Affected: 5.1 , < 5.1.12 (custom) Affected: 5.2 , < 5.2.6 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57833",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T17:33:03.859285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T17:35:55.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:19.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00017.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/03/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.24",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.1.12",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.2.6",
"status": "affected",
"version": "5.2",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.24",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.12",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.6",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T15:19:06.361Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/sep/03/security-releases/"
},
{
"url": "https://medium.com/@EyalSec/django-unauthenticated-0-click-rce-and-sql-injection-using-default-configuration-059964f3f898"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-57833",
"datePublished": "2025-09-03T00:00:00.000Z",
"dateReserved": "2025-08-20T00:00:00.000Z",
"dateUpdated": "2025-11-04T21:13:19.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48432 (GCVE-0-2025-48432)
Vulnerability from cvelistv5 – Published: 2025-06-05 00:00 – Updated: 2025-06-11 14:59
VLAI?
Summary
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
Severity ?
4 (Medium)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
4.2 , < 4.2.23
(custom)
Affected: 5.1 , < 5.1.11 (custom) Affected: 5.2 , < 5.2.3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-06-10T18:03:40.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/04/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/10/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/10/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/10/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-05T13:20:12.712693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-05T14:10:52.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.23",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.1.11",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.2.3",
"status": "affected",
"version": "5.2",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.23",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.11",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.3",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T14:59:01.028Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/jun/04/security-releases/"
},
{
"url": "https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48432",
"datePublished": "2025-06-05T00:00:00.000Z",
"dateReserved": "2025-05-21T00:00:00.000Z",
"dateUpdated": "2025-06-11T14:59:01.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32873 (GCVE-0-2025-32873)
Vulnerability from cvelistv5 – Published: 2025-05-08 00:00 – Updated: 2025-05-08 14:42
VLAI?
Summary
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Severity ?
5.3 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
4.2 , < 4.2.21
(custom)
Affected: 5.1 , < 5.1.9 (custom) Affected: 5.2 , < 5.2.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-05-08T04:05:04.028Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/05/07/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T14:36:22.376528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T14:42:25.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.21",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.1.9",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.2.1",
"status": "affected",
"version": "5.2",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.21",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.9",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T03:36:23.085Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/may/07/security-releases/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-32873",
"datePublished": "2025-05-08T00:00:00.000Z",
"dateReserved": "2025-04-11T00:00:00.000Z",
"dateUpdated": "2025-05-08T14:42:25.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27556 (GCVE-0-2025-27556)
Vulnerability from cvelistv5 – Published: 2025-04-02 00:00 – Updated: 2025-04-02 22:03
VLAI?
Summary
An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Severity ?
5.8 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
5.0 , < 5.0.14
(custom)
Affected: 5.1 , < 5.1.8 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T13:21:14.015825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T13:27:54.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-02T22:03:22.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/02/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.0.14",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "5.1.8",
"status": "affected",
"version": "5.1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.14",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.8",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T12:37:20.419Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/apr/02/security-releases/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-27556",
"datePublished": "2025-04-02T00:00:00.000Z",
"dateReserved": "2025-03-02T00:00:00.000Z",
"dateUpdated": "2025-04-02T22:03:22.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26699 (GCVE-0-2025-26699)
Vulnerability from cvelistv5 – Published: 2025-03-06 00:00 – Updated: 2025-03-19 20:03
VLAI?
Summary
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Severity ?
5 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
4.2 , < 4.2.20
(custom)
Affected: 5.0 , < 5.0.13 (custom) Affected: 5.1 , < 5.1.7 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-19T20:03:03.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/06/12"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T20:30:28.270345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T20:30:47.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.20",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.0.13",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "5.1.7",
"status": "affected",
"version": "5.1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.20",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.13",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.7",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T18:45:09.686Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/mar/06/security-releases/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-26699",
"datePublished": "2025-03-06T00:00:00.000Z",
"dateReserved": "2025-02-14T00:00:00.000Z",
"dateUpdated": "2025-03-19T20:03:03.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56374 (GCVE-0-2024-56374)
Vulnerability from cvelistv5 – Published: 2025-01-14 00:00 – Updated: 2025-02-12 20:31
VLAI?
Summary
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)
Severity ?
5.8 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| djangoproject | Django |
Affected:
4.2 , < 4.2.18
(custom)
Affected: 5.0 , < 5.0.11 (custom) Affected: 5.1 , < 5.1.5 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-23T18:03:28.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/14/2"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00024.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T19:40:35.398718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:31:20.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.18",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.0.11",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "5.1.5",
"status": "affected",
"version": "5.1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.18",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.11",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.5",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T19:07:03.855Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/jan/14/security-releases/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56374",
"datePublished": "2025-01-14T00:00:00.000Z",
"dateReserved": "2024-12-22T00:00:00.000Z",
"dateUpdated": "2025-02-12T20:31:20.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53907 (GCVE-0-2024-53907)
Vulnerability from cvelistv5 – Published: 2024-12-06 00:00 – Updated: 2024-12-31 18:03
VLAI?
Summary
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.1.4",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.0.10",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "4.2.17",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T16:22:53.268908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:25:24.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-12-31T18:03:11.347Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T11:42:27.713462",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/12/04/3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-53907",
"datePublished": "2024-12-06T00:00:00",
"dateReserved": "2024-11-24T00:00:00",
"dateUpdated": "2024-12-31T18:03:11.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53908 (GCVE-0-2024-53908)
Vulnerability from cvelistv5 – Published: 2024-12-06 00:00 – Updated: 2024-12-06 16:22
VLAI?
Summary
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.1.4",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.0.10",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "4.2.17",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53908",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T16:19:13.745984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:22:02.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T11:44:46.815402",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/12/04/3"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-53908",
"datePublished": "2024-12-06T00:00:00",
"dateReserved": "2024-11-24T00:00:00",
"dateUpdated": "2024-12-06T16:22:02.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45231 (GCVE-0-2024-45231)
Vulnerability from cvelistv5 – Published: 2024-10-08 00:00 – Updated: 2025-03-17 17:30
VLAI?
Summary
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.1.1",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.0.9",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "4.2.16",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T16:35:34.672082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T17:30:18.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T15:12:36.486Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-45231",
"datePublished": "2024-10-08T00:00:00.000Z",
"dateReserved": "2024-08-24T00:00:00.000Z",
"dateUpdated": "2025-03-17T17:30:18.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45230 (GCVE-0-2024-45230)
Vulnerability from cvelistv5 – Published: 2024-10-08 00:00 – Updated: 2025-03-17 14:12
VLAI?
Summary
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.1.1",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.0.9",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "4.2.16",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-30T16:30:05.616132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T14:12:05.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T15:05:33.553Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-45230",
"datePublished": "2024-10-08T00:00:00.000Z",
"dateReserved": "2024-08-24T00:00:00.000Z",
"dateUpdated": "2025-03-17T14:12:05.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42005 (GCVE-0-2024-42005)
Vulnerability from cvelistv5 – Published: 2024-08-07 00:00 – Updated: 2025-11-04 16:13
VLAI?
Summary
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.15",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.0.8",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42005",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T20:19:17.076015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T17:36:29.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:13:43.599Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T14:14:51.264Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42005",
"datePublished": "2024-08-07T00:00:00.000Z",
"dateReserved": "2024-07-26T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:13:43.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41990 (GCVE-0-2024-41990)
Vulnerability from cvelistv5 – Published: 2024-08-07 00:00 – Updated: 2025-11-04 16:13
VLAI?
Summary
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.15",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.0.8",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "pkg:pypi/django@4.2.15",
"status": "affected",
"version": "pkg:pypi/django@4.2",
"versionType": "custom"
},
{
"lessThan": "pkg:pypi/django@5.0.8",
"status": "affected",
"version": "pkg:pypi/django@5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T15:20:51.732074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:57:21.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:13:41.723Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T14:11:45.667Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41990",
"datePublished": "2024-08-07T00:00:00.000Z",
"dateReserved": "2024-07-25T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:13:41.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41989 (GCVE-0-2024-41989)
Vulnerability from cvelistv5 – Published: 2024-08-07 00:00 – Updated: 2025-11-04 16:13
VLAI?
Summary
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.15",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.0.8",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T19:34:43.299369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T18:52:59.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:13:40.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T14:10:31.266Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41989",
"datePublished": "2024-08-07T00:00:00.000Z",
"dateReserved": "2024-07-25T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:13:40.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41991 (GCVE-0-2024-41991)
Vulnerability from cvelistv5 – Published: 2024-08-07 00:00 – Updated: 2025-11-04 16:13
VLAI?
Summary
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.15",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.0.8",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T17:57:11.874865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T15:56:42.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:13:42.653Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T14:13:02.341Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41991",
"datePublished": "2024-08-07T00:00:00.000Z",
"dateReserved": "2024-07-25T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:13:42.653Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-39614 (GCVE-0-2024-39614)
Vulnerability from cvelistv5 – Published: 2024-07-10 00:00 – Updated: 2025-11-04 16:12
VLAI?
Summary
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"status": "unaffected",
"version": "5.1"
},
{
"lessThan": "5.0.7",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "4.2.14",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T13:29:40.596884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:26:00.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:12:29.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240808-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T04:51:34.459Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-39614",
"datePublished": "2024-07-10T00:00:00.000Z",
"dateReserved": "2024-06-26T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:12:29.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-38875 (GCVE-0-2024-38875)
Vulnerability from cvelistv5 – Published: 2024-07-10 00:00 – Updated: 2025-11-04 16:12
VLAI?
Summary
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:4.2:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.14",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:djangoproject:django:5.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.0.7",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T13:43:12.424005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T16:32:32.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:12:24.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240808-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T04:47:51.213Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-38875",
"datePublished": "2024-07-10T00:00:00.000Z",
"dateReserved": "2024-06-21T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:12:24.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-39329 (GCVE-0-2024-39329)
Vulnerability from cvelistv5 – Published: 2024-07-10 00:00 – Updated: 2025-11-04 16:12
VLAI?
Summary
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "5.0.7",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"lessThan": "4.2.14",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T16:17:00.476005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T20:38:21.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:12:25.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240808-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T04:48:41.258Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-39329",
"datePublished": "2024-07-10T00:00:00.000Z",
"dateReserved": "2024-06-23T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:12:25.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-39330 (GCVE-0-2024-39330)
Vulnerability from cvelistv5 – Published: 2024-07-10 00:00 – Updated: 2025-11-04 16:12
VLAI?
Summary
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)
Severity ?
4.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T13:59:56.070563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T15:04:12.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T16:12:26.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240808-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T04:49:58.757Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-39330",
"datePublished": "2024-07-10T00:00:00.000Z",
"dateReserved": "2024-06-23T00:00:00.000Z",
"dateUpdated": "2025-11-04T16:12:26.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-27351 (GCVE-0-2024-27351)
Vulnerability from cvelistv5 – Published: 2024-03-15 00:00 – Updated: 2025-11-04 18:30
VLAI?
Summary
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:django-rest-framework:django_rest_framework:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django_rest_framework",
"vendor": "django-rest-framework",
"versions": [
{
"lessThan": "5.0.3",
"status": "affected",
"version": "5.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-20T19:41:21.960404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:46:29.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:30:07.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e"
},
{
"url": "https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a"
},
{
"url": "https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/5.0/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases/"
},
{
"name": "FEDORA-2024-5c7fb64c74",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
},
{
"name": "FEDORA-2024-2ec03ca8cb",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"name": "[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:52.661Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://docs.djangoproject.com/en/5.0/releases/security/"
},
{
"url": "https://www.djangoproject.com/weblog/2024/mar/04/security-releases/"
},
{
"name": "FEDORA-2024-5c7fb64c74",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
},
{
"name": "FEDORA-2024-2ec03ca8cb",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"name": "[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-27351",
"datePublished": "2024-03-15T00:00:00.000Z",
"dateReserved": "2024-02-25T00:00:00.000Z",
"dateUpdated": "2025-11-04T18:30:07.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-24680 (GCVE-0-2024-24680)
Vulnerability from cvelistv5 – Published: 2024-02-06 00:00 – Updated: 2025-11-04 18:29
VLAI?
Summary
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:29:09.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/5.0/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/"
},
{
"name": "FEDORA-2024-5c7fb64c74",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
},
{
"name": "FEDORA-2024-2ec03ca8cb",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T17:27:36.284904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:45:42.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-20T03:05:55.273Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://docs.djangoproject.com/en/5.0/releases/security/"
},
{
"url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/"
},
{
"name": "FEDORA-2024-5c7fb64c74",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/"
},
{
"name": "FEDORA-2024-2ec03ca8cb",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-24680",
"datePublished": "2024-02-06T00:00:00.000Z",
"dateReserved": "2024-01-26T00:00:00.000Z",
"dateUpdated": "2025-11-04T18:29:09.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-41164 (GCVE-0-2023-41164)
Vulnerability from cvelistv5 – Published: 2023-11-03 00:00 – Updated: 2025-11-04 17:12
VLAI?
Summary
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:12:37.868Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/4.2/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2023/sep/04/security-releases/"
},
{
"name": "FEDORA-2023-a67af7d8f4",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231214-0002/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-20T03:06:02.315Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://docs.djangoproject.com/en/4.2/releases/security/"
},
{
"url": "https://www.djangoproject.com/weblog/2023/sep/04/security-releases/"
},
{
"name": "FEDORA-2023-a67af7d8f4",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231214-0002/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-41164",
"datePublished": "2023-11-03T00:00:00.000Z",
"dateReserved": "2023-08-24T00:00:00.000Z",
"dateUpdated": "2025-11-04T17:12:37.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-43665 (GCVE-0-2023-43665)
Vulnerability from cvelistv5 – Published: 2023-11-03 00:00 – Updated: 2025-11-04 17:12
VLAI?
Summary
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:12:41.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/4.2/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2023/oct/04/security-releases/"
},
{
"name": "FEDORA-2023-a67af7d8f4",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231221-0001/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"name": "[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:51.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://docs.djangoproject.com/en/4.2/releases/security/"
},
{
"url": "https://www.djangoproject.com/weblog/2023/oct/04/security-releases/"
},
{
"name": "FEDORA-2023-a67af7d8f4",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231221-0001/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"name": "[oss-security] 20240304 Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/04/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-43665",
"datePublished": "2023-11-03T00:00:00.000Z",
"dateReserved": "2023-09-20T00:00:00.000Z",
"dateUpdated": "2025-11-04T17:12:41.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-46695 (GCVE-0-2023-46695)
Vulnerability from cvelistv5 – Published: 2023-11-02 00:00 – Updated: 2024-08-02 20:53
VLAI?
Summary
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:20.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/4.2/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2023/nov/01/security-releases/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231214-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T10:06:39.801548",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://docs.djangoproject.com/en/4.2/releases/security/"
},
{
"url": "https://www.djangoproject.com/weblog/2023/nov/01/security-releases/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231214-0001/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-46695",
"datePublished": "2023-11-02T00:00:00",
"dateReserved": "2023-10-25T00:00:00",
"dateUpdated": "2024-08-02T20:53:20.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36053 (GCVE-0-2023-36053)
Vulnerability from cvelistv5 – Published: 2023-07-03 00:00 – Updated: 2025-11-04 17:12
VLAI?
Summary
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "10.0"
}
]
},
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fedora",
"vendor": "fedoraproject",
"versions": [
{
"status": "affected",
"version": "37"
}
]
},
{
"cpes": [
"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "django",
"vendor": "djangoproject",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-36053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-22T16:03:28.124119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:25:43.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:12:33.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.djangoproject.com/en/4.2/releases/security/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2023/jul/03/security-releases/"
},
{
"name": "[debian-lts-announce] 20230719 [SECURITY] [DLA 3500-1] python-django security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html"
},
{
"name": "DSA-5465",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5465"
},
{
"name": "FEDORA-2023-cc023fabb7",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/"
},
{
"name": "FEDORA-2023-9d36d373f1",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-20T03:05:57.133Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"url": "https://docs.djangoproject.com/en/4.2/releases/security/"
},
{
"url": "https://www.djangoproject.com/weblog/2023/jul/03/security-releases/"
},
{
"name": "[debian-lts-announce] 20230719 [SECURITY] [DLA 3500-1] python-django security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html"
},
{
"name": "DSA-5465",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5465"
},
{
"name": "FEDORA-2023-cc023fabb7",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS/"
},
{
"name": "FEDORA-2023-9d36d373f1",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A/"
},
{
"name": "FEDORA-2024-84fbbbb914",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36053",
"datePublished": "2023-07-03T00:00:00.000Z",
"dateReserved": "2023-06-20T00:00:00.000Z",
"dateUpdated": "2025-11-04T17:12:33.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}