CVE-2019-14232
Description
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Django Truncator's chars() and words() methods with html=True vulnerable to ReDoS, enabling denial-of-service via crafted input.
A catastrophic backtracking vulnerability exists in Django's django.utils.text.Truncator class when the chars() and words() methods are called with html=True [2]. The affected methods are used by the truncatechars_html and truncatewords_html template filters. The regular expression used to parse HTML-like input can cause exponential backtracking on specially crafted strings, leading to severe performance degradation.
Exploitation requires an attacker to provide input that triggers the vulnerable regex pattern, either directly to the Truncator methods or indirectly through template filters that accept user-controlled data [3]. No authentication is necessary if the application exposes these filters to unauthenticated users. The attack can be performed over HTTP by sending a request with a malicious string.
Successful exploitation leads to a denial-of-service condition, as the CPU becomes occupied processing the regex, potentially rendering the web server unresponsive. The vulnerability is classified as a ReDoS (Regular Expression Denial of Service) and can be exploited remotely without privileges.
The Django project released patches in versions 1.11.23, 2.1.11, and 2.2.4, which contain a fixed regular expression that avoids catastrophic backtracking [3]. Users are strongly advised to upgrade to these or later versions. No workaround is available for older versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.11a1, < 1.11.23 | 1.11.23 |
DjangoPyPI | >= 2.1a1, < 2.1.11 | 2.1.11 |
DjangoPyPI | >= 2.2a1, < 2.2.4 | 2.2.4 |
Affected products
13- Django/Djangodescription
- ghsa-coords12 versionspkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP1
>= 1.11a1, < 1.11.23+ 11 more
- (no CPE)range: >= 1.11a1, < 1.11.23
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 2.2.4-lp151.2.3.1
- (no CPE)range: < 3.2.7-2.3
- (no CPE)range: < 1.11.23-3.9.1
- (no CPE)range: < 1.11.23-3.9.1
- (no CPE)range: < 1.11.23-3.12.1
- (no CPE)range: < 1.8.19-3.15.1
- (no CPE)range: < 1.11.23-3.12.1
- (no CPE)range: < 1.11.23-3.12.1
- (no CPE)range: < 2.2.4-bp151.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
25- lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlghsavendor-advisoryWEB
- lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlghsavendor-advisoryWEB
- github.com/advisories/GHSA-c4qh-4vgv-qc6gghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2019-14232ghsaADVISORY
- security.gentoo.org/glsa/202004-17ghsavendor-advisoryWEB
- www.debian.org/security/2019/dsa-4498ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/10/04/6ghsamailing-listWEB
- www.openwall.com/lists/oss-security/2024/03/04/1ghsamailing-listWEB
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-11.yamlghsaWEB
- github.com/pypa/advisory-db/tree/main/vulns/django/PYSEC-2019-11.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTKghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTKghsaWEB
- lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3LGJSPCN3VEG2UJPYCUB6TU75JTIV2TQghsaWEB
- lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/5XTP44JEOSNXRVW4JDZXA5XGMBDZLWSWghsaWEB
- seclists.org/bugtraq/2019/Aug/15ghsamailing-listWEB
- security.netapp.com/advisory/ntap-20190828-0002ghsaWEB
- www.djangoproject.com/weblog/2019/aug/01/security-releasesghsaWEB
- www.openwall.com/lists/oss-security/2023/10/04/6ghsaWEB
- docs.djangoproject.com/en/dev/releases/security/mitre
- security.netapp.com/advisory/ntap-20190828-0002/mitre
- www.djangoproject.com/weblog/2019/aug/01/security-releases/mitre
News mentions
0No linked articles in our index yet.