Django Truncator HTML Methods Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Django versions 6.0 prior to 6.0.2, 5.2 prior to 5.2.11, and 4.2 prior to 4.2.28. The issue arises in the 'django.utils.text.Truncator' class, specifically within the 'chars()' and 'words()' methods when the 'html' parameter is set to True. Additionally, the 'truncatechars_html' and 'truncatewords_html' template filters are affected. The vulnerability allows remote attackers to cause a denial-of-service by sending crafted inputs that include a large number of unmatched HTML end tags, leading to excessive processing time during HTML parsing.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition, where the application becomes unresponsive or significantly slower due to the increased processing time required to handle the crafted inputs.

Reproduction

To reproduce this vulnerability, use a Django version that is affected (6.0 prior to 6.0.2, 5.2 prior to 5.2.11, or 4.2 prior to 4.2.28). Apply a template filter that processes HTML, such as 'truncatechars_html' or 'truncatewords_html', and pass a string that contains a high number of unmatched HTML end tags. This will simulate the crafted input that triggers the denial-of-service condition by causing the HTML parser to slow down significantly.

Remediation

Users can upgrade to Django 6.0.2, 5.2.11, or 4.2.28 to address this vulnerability.