VDB

CVE-2024-27351

CVE-2024-27351 PUBLISHED

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

EPSS 2.61% · 85.9th percentile

Risk Scores

EPSS Score
2.61%
85.9th percentile

Affected Products

VendorProductVersions
Bitnamidjango4.2.0, 5.0.0, 3.2.0
Bitnamidjango3.2.0, 4.2.0, 5.0.0

Timeline

  • CVE Published
  • Mar 16, 2024 EPSS Score
  • Apr 28, 2024 PoC Published
  • May 7, 2024 EPSS Score
  • Jun 2, 2024 EPSS Score
  • Jul 25, 2024 EPSS Score
  • Sep 15, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Oct 11, 2024 EPSS Score
  • Dec 3, 2024 EPSS Score
  • Jan 24, 2025 EPSS Score
  • Mar 17, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›