CVE CyberSecurity Database News

CVE-2024-45230: Denial-of-Service Vulnerability in Django's urlize() and urlizetrunc() Template Filters

Poster -

A vulnerability, CVE-2024-45230, has been identified in Django 5.1 before 5.1.1, 5. before 5..9, and 4.2 before 4.2.16. Django developers must be aware of this denial-of-service (DoS) vulnerability found in the urlize() and urlizetrunc() template filters. These template filters may suffer from potential DoS attacks when receiving very large inputs containing specific sequences of characters.

Issue Details and Background

The urlize() and urlizetrunc() are template filters in Django that accept text as input and return the same text with URLs converted to HTML links. Both filters use the same underlying regular expression to identify URLs within the input text.

For example, the urlize() filter would be used as such

{{ some_text | urlize }}

The vulnerability occurs when these filters are provided with very large inputs containing specific sequences of characters. This user-controlled input can lead to denial-of-service attacks, as the filters consume a significant amount of CPU and memory resources when processing these inputs.

Exploit Details

An attacker would need to craft a malicious input to exploit this vulnerability. The crafted input would need to contain a specially constructed sequence of characters that would cause the regex used by urlize() and urlizetrunc() filters to consume excessive amounts of CPU and memory resources.

The following is an example of a specially crafted input that could be used to exploit this vulnerability:

"A" * 100000 + "B" * 100000 + "://" + "C" * 100000

This input would cause the regular expression used by the urlize() and urlizetrunc() filters to take a significant amount of time to process, resulting in a denial-of-service attack.

Resolution

Django has released a security update to fix this vulnerability. Users are encouraged to update their Django installations to the following patched versions:

Updating Django can be done using the pip package manager

pip install --upgrade "Django>=5.1.1,<5.2"
pip install --upgrade "Django>=5..9,<5.1"
pip install --upgrade "Django>=4.2.16,<4.3"

Original References

- Django Security Release: https://www.djangoproject.com/weblog/2021/sep/08/security-releases/
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45230
- Django Documentation for urlize: https://docs.djangoproject.com/en/3.2/ref/templates/builtins/#urlize

Conclusion

It is important for developers using Django to be aware of this vulnerability and update their installations to the patched versions immediately. This will help to protect applications built on Django from potential denial-of-service attacks caused by the urlize() and urlizetrunc() filters.

Timeline

Published on: 10/08/2024 16:15:11 UTC
Last modified on: 10/30/2024 17:35:09 UTC