CVE-2024-27351

CVE-2024-27351 is a medium-severity vulnerability in Djangoproject Django with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1333.

Key facts

Description

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

Frequently asked questions

What is CVE-2024-27351?
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
How severe is CVE-2024-27351?
CVE-2024-27351 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2024-27351 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (77th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-27351?
CVE-2024-27351 affects Djangoproject Django. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-27351?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-27351 have an EU (EUVD) identifier?
Yes. CVE-2024-27351 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0039.
When was CVE-2024-27351 published?
CVE-2024-27351 was published on 2024-03-15 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Djangoproject Django

All CVEs affecting Djangoproject Django →

Other CWE-1333 vulnerabilities

Browse all CWE-1333 vulnerabilities →