VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 7, 2024· Updated Nov 4, 2025

CVE-2024-41989

CVE-2024-41989

Description

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-41989 causes potential memory exhaustion in Django's floatformat filter when processing scientific notation with a large exponent, leading to denial-of-service.

Vulnerability

Description The floatformat template filter in Django versions 5.0 before 5.0.8 and 4.2 before 4.2.15 is vulnerable to excessive memory consumption when given a string representation of a number in scientific notation with a large exponent. This occurs because the filter attempts to process the number without limiting the resulting number of digits, potentially generating strings with extremely high length (e.g., thousands or millions of digits) [1][2].

Exploitation and

Attack Vector An attacker can exploit this vulnerability by providing a template context value containing a number in scientific notation with a very large exponent (e.g., "1e1000000"). When the floatformat filter is applied to such a value, the internal processing creates a representation with a massive number of digits, leading to uncontrolled memory allocation. No authentication or special privileges are required if the attacker can supply input to a Django templating context (e.g., via user-submitted data or URL parameters processed by a vulnerable view) [3][4].

Impact

Successful exploitation results in denial-of-service (DoS) due to memory exhaustion, potentially causing the application to crash or become unresponsive. This is rated as a high-severity issue (CVSS 7.5) because it can be triggered remotely without authentication. The flaw affects both Django 5.0.x prior to 5.0.8 and Django 4.2.x prior to 4.2.15 [2][3].

Mitigation

Django has released patches in versions 5.0.8 and 4.2.15 that address this issue by capping the number of digits. Decimals with more than 200 digits are now returned as-is, preventing excessive memory consumption. Users should upgrade immediately. No workaround other than patching is available [1][3][4].

References
  1. Archive of security issues | Django documentation
  2. NVD - CVE-2024-41989
  3. [5.0.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumptio… · django/django@27900fe
  4. [4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumptio… · django/django@fc76660

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
DjangoPyPI
>= 5.0, < 5.0.85.0.8
DjangoPyPI
>= 4.2, < 4.2.154.2.15

Affected products

10

Patches

2
fc76660f589a

[4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.

https://github.com/django/djangoSarah BoyceJul 12, 2024via ghsa
commit
3 files changed · +39 0
  • django/template/defaultfilters.py+13 0 modified
    @@ -163,6 +163,19 @@ def floatformat(text, arg=-1):
     except ValueError:
         return input_val
 
+    _, digits, exponent = d.as_tuple()
+    try:
+        number_of_digits_and_exponent_sum = len(digits) + abs(exponent)
+    except TypeError:
+        # Exponent values can be "F", "n", "N".
+        number_of_digits_and_exponent_sum = 0
+
+    # Values with more than 200 digits, or with a large exponent, are returned "as is"
+    # to avoid high memory consumption and potential denial-of-service attacks.
+    # The cut-off of 200 is consistent with django.utils.numberformat.floatformat().
+    if number_of_digits_and_exponent_sum > 200:
+        return input_val
+
     try:
         m = int(d) - d
     except (ValueError, OverflowError, InvalidOperation):
  • docs/releases/4.2.15.txt+9 0 modified
    @@ -7,6 +7,15 @@ Django 4.2.15 release notes
 Django 4.2.15 fixes three security issues with severity "moderate", one
 security issue with severity "high", and a regression in 4.2.14.
 
+CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+================================================================================
+
+If :tfilter:`floatformat` received a string representation of a number in
+scientific notation with a large exponent, it could lead to significant memory
+consumption.
+
+To avoid this, decimals with more than 200 digits are now returned as is.
+
 Bugfixes
 ========
  • tests/template_tests/filter_tests/test_floatformat.py+17 0 modified
    @@ -77,6 +77,7 @@ def test_inputs(self):
         self.assertEqual(floatformat(1.5e-15, 20), "0.00000000000000150000")
         self.assertEqual(floatformat(1.5e-15, -20), "0.00000000000000150000")
         self.assertEqual(floatformat(1.00000000000000015, 16), "1.0000000000000002")
+        self.assertEqual(floatformat("1e199"), "1" + "0" * 199)
 
     def test_force_grouping(self):
         with translation.override("en"):
@@ -134,6 +135,22 @@ def test_infinity(self):
         self.assertEqual(floatformat(pos_inf), "inf")
         self.assertEqual(floatformat(neg_inf), "-inf")
         self.assertEqual(floatformat(pos_inf / pos_inf), "nan")
+        self.assertEqual(floatformat("inf"), "inf")
+        self.assertEqual(floatformat("NaN"), "NaN")
+
+    def test_too_many_digits_to_render(self):
+        cases = [
+            "1e200",
+            "1E200",
+            "1E10000000000000000",
+            "-1E10000000000000000",
+            "1e10000000000000000",
+            "-1e10000000000000000",
+            "1" + "0" * 1_000_000,
+        ]
+        for value in cases:
+            with self.subTest(value=value):
+                self.assertEqual(floatformat(value), value)
 
     def test_float_dunder_method(self):
         class FloatWrapper:
27900fe56f3d

[5.0.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.

https://github.com/django/djangoSarah BoyceJul 12, 2024via ghsa
commit
4 files changed · +48 0
  • django/template/defaultfilters.py+13 0 modified
    @@ -164,6 +164,19 @@ def floatformat(text, arg=-1):
     except ValueError:
         return input_val
 
+    _, digits, exponent = d.as_tuple()
+    try:
+        number_of_digits_and_exponent_sum = len(digits) + abs(exponent)
+    except TypeError:
+        # Exponent values can be "F", "n", "N".
+        number_of_digits_and_exponent_sum = 0
+
+    # Values with more than 200 digits, or with a large exponent, are returned "as is"
+    # to avoid high memory consumption and potential denial-of-service attacks.
+    # The cut-off of 200 is consistent with django.utils.numberformat.floatformat().
+    if number_of_digits_and_exponent_sum > 200:
+        return input_val
+
     try:
         m = int(d) - d
     except (ValueError, OverflowError, InvalidOperation):
  • docs/releases/4.2.15.txt+9 0 modified
    @@ -7,6 +7,15 @@ Django 4.2.15 release notes
 Django 4.2.15 fixes three security issues with severity "moderate", one
 security issue with severity "high", and a regression in 4.2.14.
 
+CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+================================================================================
+
+If :tfilter:`floatformat` received a string representation of a number in
+scientific notation with a large exponent, it could lead to significant memory
+consumption.
+
+To avoid this, decimals with more than 200 digits are now returned as is.
+
 Bugfixes
 ========
  • docs/releases/5.0.8.txt+9 0 modified
    @@ -7,6 +7,15 @@ Django 5.0.8 release notes
 Django 5.0.8 fixes three security issues with severity "moderate", one security
 issue with severity "high", and several bugs in 5.0.7.
 
+CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+================================================================================
+
+If :tfilter:`floatformat` received a string representation of a number in
+scientific notation with a large exponent, it could lead to significant memory
+consumption.
+
+To avoid this, decimals with more than 200 digits are now returned as is.
+
 Bugfixes
 ========
  • tests/template_tests/filter_tests/test_floatformat.py+17 0 modified
    @@ -77,6 +77,7 @@ def test_inputs(self):
         self.assertEqual(floatformat(1.5e-15, 20), "0.00000000000000150000")
         self.assertEqual(floatformat(1.5e-15, -20), "0.00000000000000150000")
         self.assertEqual(floatformat(1.00000000000000015, 16), "1.0000000000000002")
+        self.assertEqual(floatformat("1e199"), "1" + "0" * 199)
 
     def test_force_grouping(self):
         with translation.override("en"):
@@ -134,6 +135,22 @@ def test_infinity(self):
         self.assertEqual(floatformat(pos_inf), "inf")
         self.assertEqual(floatformat(neg_inf), "-inf")
         self.assertEqual(floatformat(pos_inf / pos_inf), "nan")
+        self.assertEqual(floatformat("inf"), "inf")
+        self.assertEqual(floatformat("NaN"), "NaN")
+
+    def test_too_many_digits_to_render(self):
+        cases = [
+            "1e200",
+            "1E200",
+            "1E10000000000000000",
+            "-1E10000000000000000",
+            "1e10000000000000000",
+            "-1e10000000000000000",
+            "1" + "0" * 1_000_000,
+        ]
+        for value in cases:
+            with self.subTest(value=value):
+                self.assertEqual(floatformat(value), value)
 
     def test_float_dunder_method(self):
         class FloatWrapper:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.