Moderate severityNVD Advisory· Published May 8, 2025· Updated May 8, 2025
CVE-2025-32873
CVE-2025-32873
Description
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 4.2, < 4.2.21 | 4.2.21 |
DjangoPyPI | >= 5.1, < 5.1.9 | 5.1.9 |
DjangoPyPI | >= 5.2, < 5.2.1 | 5.2.1 |
Affected products
1- Range: 4.2
Patches
19f3419b51979Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().
5 files changed · +53 −1
django/utils/html.py+6 −0 modified@@ -43,6 +43,9 @@ MAX_STRIP_TAGS_DEPTH = 50 +# HTML tag that opens but has no closing ">" after 1k+ chars. +long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}") + @keep_lazy(SafeString) def escape(text): @@ -208,6 +211,9 @@ def _strip_once(value): def strip_tags(value): """Return the given HTML with all tags stripped.""" value = str(value) + for long_open_tag in long_open_tag_without_closing_re.finditer(value): + if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH: + raise SuspiciousOperation # Note: in typical case this loop executes _strip_once twice (the second # execution does not remove any more tags). strip_tags_depth = 0
docs/releases/4.2.21.txt+11 −0 modified@@ -7,6 +7,17 @@ Django 4.2.21 release notes Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug, and a regression in 4.2.20. +CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs +containing large sequences of incomplete HTML tags. This function is used to +implement the :tfilter:`striptags` template filter, which was thus also +vulnerable. + +:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` +exception if it encounters an unusually large number of unclosed opening tags. + Bugfixes ========
docs/releases/5.1.9.txt+11 −0 modified@@ -7,6 +7,17 @@ Django 5.1.9 release notes Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug, and a regression in 5.1.8. +CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs +containing large sequences of incomplete HTML tags. This function is used to +implement the :tfilter:`striptags` template filter, which was thus also +vulnerable. + +:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` +exception if it encounters an unusually large number of unclosed opening tags. + Bugfixes ========
docs/releases/5.2.1.txt+11 −0 modified@@ -7,6 +7,17 @@ Django 5.2.1 release notes Django 5.2.1 fixes a security issue with severity "moderate" and several bugs in 5.2. +CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs +containing large sequences of incomplete HTML tags. This function is used to +implement the :tfilter:`striptags` template filter, which was thus also +vulnerable. + +:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` +exception if it encounters an unusually large number of unclosed opening tags. + Bugfixes ========
tests/utils_tests/test_html.py+14 −1 modified@@ -145,17 +145,30 @@ def test_strip_tags(self): ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"), ("X<<<<br>br>br>br>X", "XX"), ("<" * 50 + "a>" * 50, ""), + (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"), + ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951), + ("<" + "a" * 1_002, "<" + "a" * 1_002), ) for value, output in items: with self.subTest(value=value, output=output): self.check_output(strip_tags, value, output) self.check_output(strip_tags, lazystr(value), output) - def test_strip_tags_suspicious_operation(self): + def test_strip_tags_suspicious_operation_max_depth(self): value = "<" * 51 + "a>" * 51, "<a>" with self.assertRaises(SuspiciousOperation): strip_tags(value) + def test_strip_tags_suspicious_operation_large_open_tags(self): + items = [ + ">" + "<a" * 501, + "<a" * 50 + "a" * 950, + ] + for value in items: + with self.subTest(value=value): + with self.assertRaises(SuspiciousOperation): + strip_tags(value) + def test_strip_tags_files(self): # Test with more lengthy content (also catching performance regressions) for filename in ("strip_tags1.html", "strip_tags2.txt"):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-8j24-cjrq-gr2mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32873ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/05/07/1ghsaWEB
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- github.com/django/django/commit/9f3419b519799d69f2aba70b9d25abe2e70d03e0ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-37.yamlghsaWEB
- groups.google.com/g/django-announceghsaWEB
- www.djangoproject.com/weblog/2025/may/07/security-releasesghsaWEB
- docs.djangoproject.com/en/dev/releases/security/mitre
- www.djangoproject.com/weblog/2025/may/07/security-releases/mitre
News mentions
0No linked articles in our index yet.