Django 3.2.22 release notes¶
October 4, 2023
Django 3.2.22 fixes a security issue with severity “moderate” in 3.2.21.
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator
¶
Following the fix for CVE 2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator
’s chars()
and words()
methods (with html=True
) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability.
The chars()
and words()
methods are used to implement the
truncatechars_html
and truncatewords_html
template
filters, which were thus also vulnerable.
The input processed by Truncator
, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.