DescriptionIn Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)buster1:1.11.29-1~deb10u1vulnerable
buster (security)1:1.11.29-1+deb10u11vulnerable
bullseye (security), bullseye2:2.2.28-1~deb11u2vulnerable
bookworm, bookworm (security)3:3.2.19-1+deb12u1vulnerable
sid, trixie3:4.2.11-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[bookworm] - python-django <postponed> (Minor issue, fix along in future update)
[bullseye] - python-django <postponed> (Minor issue, fix along in future update)
[buster] - python-django <no-dsa> (Minor issue) (5.0.3) (4.2.11) (3.2.25)
CVE is a followup to CVE-2019-14232 and CVE-2023-43665.

Search for package or bug name: Reporting problems