CVE-2025-32873

Aliases:GHSA-8j24-cjrq-gr2mBIT-django-2025-32873PYSEC-2025-37

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DEBIAN-CVE-2025-32873 DLA-4210-1 DSA-6136-1 MGASA-2025-0153 OPENSUSE-SU-2025:15082-1 OPENSUSE-SU-2025:15087-1

Analyzed

Published: 08 May 2025, 00:00

Last modified:08 May 2025, 14:42

Vulnerability Summary

Overall Risk (default)

low

21/100

CVSS Score

5.3 MEDIUM

v3.1 (cve.org)

EPSS Score

0.19% LOW

0% probability +0.15%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

08 May 2025, 00:00

Published

Vulnerability first disclosed

08 May 2025, 14:42

Last Modified

Vulnerability information updated

Description

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Trends

Current EPSS score: 0.19%• Percentile: 40%

Techniques & Countermeasures

CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

djangoproject•django
≥ 4.2, < 4.2.21 | ≥ 5.2, < 5.2.1 | ≥ 4.2.0, < 4.2.21 | ≥ 5.1, < 5.1.9 | 5.2
PyPI•django
≥ 4.2, < 4.2.21 | ≥ 5.1, < 5.1.9 | ≥ 5.2, < 5.2.1