Arch Linux alert ASA-202505-10 (python-django)
| From: | Andrea Denisse <denisse@archlinux.org> | |
| To: | arch-security <arch-security@lists.archlinux.org> | |
| Subject: | [ASA-202505-10] python-django: denial of service | |
| Date: | Tue, 20 May 2025 13:17:07 -0600 | |
| Message-ID: | <e5d830935e20facd7a570e7363860eb141abac12.camel@archlinux.org> | |
| Archive-link: | Article |
Arch Linux Security Advisory ASA-202505-10 ========================================== Severity: Medium Date : 2025-05-19 CVE-ID : CVE-2025-32873 Package : python-django Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2876 Summary ======= The package python-django before version 5.1.9-1 is vulnerable to denial of service. Resolution ========== Upgrade to 5.1.9-1. # pacman -Syu "python-django>=5.1.9-1" The problem has been fixed upstream in version 5.1.9. Workaround ========== None. Description =========== django.utils.html.strip_tags() would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was thus also vulnerable. django.utils.html.strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags. Impact ====== A remote attacker can exploit inefficient HTML tag parsing in Django’s strip_tags() function to cause excessive CPU usage, leading to a denial of service. This may affect applications that use the striptags template filter to sanitize user-controlled input, making them vulnerable to slowdown or unresponsiveness when handling specially crafted HTML content. References ========== https://www.djangoproject.com/weblog/2025/may/07/security... https://security.archlinux.org/CVE-2025-32873