2364980 – (CVE-2025-32873) CVE-2025-32873 django: Django StripTags Denial of Service

Bug 2364980 (CVE-2025-32873) - CVE-2025-32873 django: Django StripTags Denial of Service

Summary: CVE-2025-32873 django: Django StripTags Denial of Service

Keywords:
Status:	NEW
Alias:	CVE-2025-32873
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2365039 2365040 2365041 2365042 2365043 2365044 2365045 2365046 2365047
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-08 04:01 UTC by OSIDB Bzimport
Modified:	2025-05-08 13:06 UTC (History)
CC List:	45 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-08 04:01:29 UTC

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

Note You need to log in before you can comment on or make changes to this bug.

anthomas
brking
davidn
dranck
eglynn
ehelms
ggainey
gtanzill
haoli
hkataria
jajackso
jcammara
jjoyce
jmitchel
jneedle
jschluet
juwatts
kegrant
koliveir
kshier
lhh
lsvaty
mabashia
mburns
mgarciac
mhulan
mminar
nmoumoul
osousa
pbraun
pcreech
pgrist
rbiba
rchan
relrod
shvarugh
simaishi
smallamp
smcdonal
sskracic
stcannon
teagle
tfister
thavo
yguenane