CVE-2019-14233
Description
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Django's strip_tags() can be abused to cause a denial-of-service via crafted input with nested incomplete HTML entities, due to inefficient HTMLParser behavior.
Vulnerability
Overview
CVE-2019-14233 is a denial-of-service (DoS) vulnerability in Django's django.utils.html.strip_tags function. The root cause lies in the behavior of the underlying HTMLParser when evaluating certain inputs containing large sequences of nested incomplete HTML entities. This leads to extreme slowness, allowing an attacker to exhaust server resources [1][2].
Attack
Vector
An attacker can exploit this vulnerability by providing specially crafted input to any application that uses the strip_tags function or related template filters (e.g., striptags). No authentication is required if the input is user-controlled, and the attack can be performed remotely over HTTP. The crafted input triggers catastrophic backtracking or excessive processing in the HTML parser, resulting in a denial-of-service condition [3][4].
Impact
Successful exploitation allows an attacker to cause the Django application to consume excessive CPU time, potentially leading to a full denial-of-service for legitimate users. The vulnerability does not lead to data disclosure or privilege escalation, but it can disrupt application availability [1][4].
Mitigation
Django released patched versions 1.11.23, 2.1.11, and 2.2.4 on August 1, 2019, which address this issue by improving the handling of HTML entities within strip_tags. All users running affected versions are strongly advised to upgrade immediately. No workaround is available other than applying the patch [1][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.11a1, < 1.11.23 | 1.11.23 |
DjangoPyPI | >= 2.1a1, < 2.1.11 | 2.1.11 |
DjangoPyPI | >= 2.2a1, < 2.2.4 | 2.2.4 |
Affected products
10- Django/Djangodescription
- ghsa-coords9 versionspkg:pypi/djangopkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP1
>= 1.11a1, < 1.11.23+ 8 more
- (no CPE)range: >= 1.11a1, < 1.11.23
- (no CPE)range: < 2.2.4-lp151.2.3.1
- (no CPE)range: < 1.11.23-3.9.1
- (no CPE)range: < 1.11.23-3.9.1
- (no CPE)range: < 1.11.23-3.12.1
- (no CPE)range: < 1.8.19-3.15.1
- (no CPE)range: < 1.11.23-3.12.1
- (no CPE)range: < 1.11.23-3.12.1
- (no CPE)range: < 2.2.4-bp151.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-h5jv-4p7w-64jgghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-14233ghsaADVISORY
- security.gentoo.org/glsa/202004-17ghsavendor-advisoryx_refsource_GENTOOWEB
- www.debian.org/security/2019/dsa-4498ghsavendor-advisoryx_refsource_DEBIANWEB
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- docs.djangoproject.com/en/dev/releases/security/mitrex_refsource_MISC
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-12.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_MISC
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTKghsaWEB
- seclists.org/bugtraq/2019/Aug/15ghsamailing-listx_refsource_BUGTRAQWEB
- security.netapp.com/advisory/ntap-20190828-0002ghsaWEB
- security.netapp.com/advisory/ntap-20190828-0002/mitrex_refsource_CONFIRM
- www.djangoproject.com/weblog/2019/aug/01/security-releasesghsaWEB
- www.djangoproject.com/weblog/2019/aug/01/security-releases/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.