Medium severity5.3NVD Advisory· Published Mar 9, 2018· Updated Jun 17, 2026
CVE-2018-7537
CVE-2018-7537
Description
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 2.0, < 2.0.3 | 2.0.3 |
DjangoPyPI | >= 1.11, < 1.11.11 | 1.11.11 |
DjangoPyPI | >= 1.8, < 1.8.19 | 1.8.19 |
Affected products
10- ghsa-coords10 versionspkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%206pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012%20SP1
>= 2.0, < 2.0.3+ 9 more
- (no CPE)range: >= 2.0, < 2.0.3
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 3.2.7-2.3
- (no CPE)range: < 1.6.11-5.5.1
- (no CPE)range: < 1.6.11-6.5.1
- (no CPE)range: < 1.8.19-3.6.1
- (no CPE)range: < 1.8.19-3.4.1
- (no CPE)range: < 1.11.11-8.1
- (no CPE)range: < 1.11.15-2.1
Patches
Vulnerability mechanics
References
15- www.securityfocus.com/bid/103357nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2018:2927nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0265nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-2f9x-5v75-3qv4ghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/03/msg00006.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2018-7537ghsaADVISORY
- usn.ubuntu.com/3591-1/nvdThird Party Advisory
- www.debian.org/security/2018/dsa-4161nvdThird Party AdvisoryWEB
- www.djangoproject.com/weblog/2018/mar/06/security-releases/nvdRelease NotesVendor Advisory
- github.com/django/django/commit/94c5da1d17a6b0d378866c66b605102c19f7988cghsaWEB
- github.com/django/django/commit/a91436360b79a6ff995c3e5018bcc666dfaf1539ghsaWEB
- github.com/django/django/commit/d17974a287a6ea2e361daff88fcc004cbd6835faghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-6.yamlghsaWEB
- usn.ubuntu.com/3591-1ghsaWEB
- www.djangoproject.com/weblog/2018/mar/06/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.