• 5.0
  • dev
  • Documentation version: 5.1

Django 5.0.3 release notes

March 4, 2024

Django 5.0.3 fixes a security issue with severity “moderate” and several bugs in 5.0.2.

CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE 2019-14232 and CVE 2023-43665).

Bugfixes

  • Fixed a regression in Django 5.0.2 where intcomma template filter could return a leading comma for string representation of floats (#35172).

  • Fixed a bug in Django 5.0 that caused a crash of Signal.asend() and asend_robust() when all receivers were asynchronous functions (#35174).

  • Fixed a regression in Django 5.0.1 where ModelAdmin.lookup_allowed() would prevent filtering against foreign keys using lookups like __isnull when the field was not included in ModelAdmin.list_filter (#35173).

  • Fixed a regression in Django 5.0 that caused a crash of @sensitive_variables and @sensitive_post_parameters decorators on functions loaded from .pyc files (#35187).

  • Fixed a regression in Django 5.0 that caused a crash when reloading a test database and a base queryset for a base manager used prefetch_related() (#35238).

  • Fixed a bug in Django 5.0 where facet filters in the admin would crash on a SimpleListFilter using a queryset without primary keys (#35198).

Back to Top