Moderate severityNVD Advisory· Published Mar 15, 2024· Updated Nov 4, 2025
CVE-2024-27351
CVE-2024-27351
Description
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 3.2, < 3.2.25 | 3.2.25 |
DjangoPyPI | >= 4.2, < 4.2.11 | 4.2.11 |
DjangoPyPI | >= 5.0, < 5.0.3 | 5.0.3 |
Affected products
38- osv-coords37 versionspkg:apk/chainguard/py3.10-djangopkg:apk/chainguard/py3.10-django-binpkg:apk/chainguard/py3.11-djangopkg:apk/chainguard/py3.11-django-binpkg:apk/chainguard/py3.12-djangopkg:apk/chainguard/py3.12-django-binpkg:apk/chainguard/py3.13-djangopkg:apk/chainguard/py3.13-django-binpkg:apk/chainguard/py3-djangopkg:apk/chainguard/py3-supported-djangopkg:apk/wolfi/py3.10-djangopkg:apk/wolfi/py3.10-django-binpkg:apk/wolfi/py3.11-djangopkg:apk/wolfi/py3.11-django-binpkg:apk/wolfi/py3.12-djangopkg:apk/wolfi/py3.12-django-binpkg:apk/wolfi/py3.13-djangopkg:apk/wolfi/py3.13-django-binpkg:apk/wolfi/py3-djangopkg:apk/wolfi/py3-supported-djangopkg:bitnami/djangopkg:pypi/djangopkg:rpm/opensuse/python-Django1&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Django1&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208
< 5.0.4-r0+ 36 more
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: < 5.0.4-r0
- (no CPE)range: >= 3.2.0, < 3.2.25
- (no CPE)range: >= 3.2, < 3.2.25
- (no CPE)range: < 1.11.29-bp155.4.9.1
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 2.0.7-150000.1.17.1
- (no CPE)range: < 4.2.11-1.1
- (no CPE)range: < 1.11.29-3.58.3
- (no CPE)range: < 1.11.29-3.58.3
- (no CPE)range: < 1.11.29-bp155.4.9.1
- (no CPE)range: < 1.11.29-3.59.3
- (no CPE)range: < 1.11.29-3.59.3
- (no CPE)range: < 1.11.29-3.59.3
- (no CPE)range: < 2.2.28-bp155.7.9.1
- (no CPE)range: < 12.0.5~dev6-14.54.5
- (no CPE)range: < 14.1.1~dev11-4.51.4
- (no CPE)range: < 12.0.5~dev6-14.54.4
Patches
Vulnerability mechanics
References
21- github.com/advisories/GHSA-vm8q-m57g-pff3ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEX/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2024-27351ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/04/1ghsamailing-listWEB
- docs.djangoproject.com/en/5.0/releases/securityghsaWEB
- github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521ghsaWEB
- github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761eghsaWEB
- github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4aghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-47.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEXghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4DghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2JIRXEDP4ZET5KFMAPPYSK663Q52NEXghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN2PLJGYSAAG5KUVIUFJYKD3BLQ4OSN6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4DghsaWEB
- www.djangoproject.com/weblog/2024/mar/04/security-releasesghsaWEB
- docs.djangoproject.com/en/5.0/releases/security/mitre
- www.djangoproject.com/weblog/2024/mar/04/security-releases/mitre
News mentions
0No linked articles in our index yet.