CVE CyberSecurity Database News

CVE-2024-27351 - Regular Expression Denial-of-Service (ReDoS) Vulnerability in Django

Poster -

In this long read post, we will discuss a critical security flaw, CVE-2024-27351, affecting Django versions 3.2 before 3.2.25, 4.2 before 4.2.11, and 5. before 5..3. Developers whose applications rely on these Django versions need to address this vulnerability, as it could lead to a potential denial-of-service attack via specially crafted strings. This vulnerability exists due to an incomplete fix for previous CVEs CVE-2019-14232 and CVE-2023-43665.

The Vulnerability

CVE-2024-27351 affects the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter. By using crafted strings, attackers could trigger a regular expression denial-of-service (ReDoS) attack, causing the application to consume excessive resources and eventually hang or crash.

The affected code snippet in the django.utils.text.Truncator.words() method looks as follows

from django.utils.text import Truncator

sample_text = "Your sample text here"
truncator = Truncator(sample_text)

# Vulnerable usage
truncated_text = truncator.words(5, html=True)

And in the Django template

<!-- Vulnerable usage -->
{% load truncate %}
{{ sample_text | truncatewords_html:5 }}

Exploit Details

The vulnerability lies in the way Django handles certain regex patterns while processing strings with the words() method and the truncatewords_html filter. By carefully crafting a string containing a specific pattern of characters, an attacker can exploit the poor performance of the regex engine in processing those patterns, leading to exponentially longer processing times.

A simple crafted string that could trigger the vulnerability is as follows

sample_text = "<b>" * 10000

When this string is passed to Truncator.words() method or the truncatewords_html filter, it causes the application to hang, possibly consuming a large amount of processing power and eventually crashing.

The Solution

The Django project has already released the updated versions 3.2.25, 4.2.11, and 5..3 which address this vulnerability.

It is highly recommended for developers to update their Django versions to the latest patched versions in order to protect their applications from potential ReDoS attacks. To update Django to the latest version, execute the following command:

pip install --upgrade django

For further information, please refer to the official Django Security Advisory

- Django Security Advisory
- CVE-2024-27351 - NIST National Vulnerability Database (NVD)
- CVE-2019-14232 - NIST National Vulnerability Database (NVD)
- CVE-2023-43665 - NIST National Vulnerability Database (NVD)

Following best practices and continuously updating your software and libraries will help you avoid unnecessary security risks.

Timeline

Published on: 03/15/2024 20:15:09 UTC
Last modified on: 07/03/2024 01:50:33 UTC