CVE-2026-1285
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in components for handling common web development tasks such as authentication, database interaction, and request routing.
A denial-of-service vulnerability (CVE-2026-1285) has been identified in Django, where the django.utils.text.Truncator.chars() and Truncator.words() methods with html=True, as well as the truncatechars_html and truncatewords_html template filters, could be exploited through specially crafted HTML input containing large numbers of unmatched end tags. This improper handling of malformed HTML during parsing may trigger quadratic time complexity, potentially resulting in excessive CPU consumption, service degradation, or application outages within affected Django applications.
Per OWASP: Denial-of-Service (DoS) vulnerabilities occur when an application can be forced to consume excessive resources, preventing legitimate users from accessing the service. Resource exhaustion attacks commonly target memory, CPU, storage, or network bandwidth by exploiting weaknesses in how applications process untrusted input.
Details
Module Info
- Product: Django
- Affected packages: django
- Affected versions: <=3.2.25, <=4.2.27, <=5.2.10, <=6.0.1
- GitHub repository: https://github.com/django/django
- Published packages: https://pypi.org/project/Django/
- Package manager: pip
- Fixed in: Django NES v3.2.27 and v4.2.31
Vulnerability Info
This Medium-severity vulnerability is found in the utils package in all published versions of Django.
Normally, Django’s text truncation utilities are designed to safely process and shorten HTML content while preserving valid markup structure and maintaining predictable application performance. In particular, the django.utils.text.Truncator.chars() and Truncator.words() methods with html=True, along with the truncatechars_html and truncatewords_html template filters, are intended to efficiently parse HTML input without allowing malformed content to significantly impact processing time.
However, due to improper handling of HTML input containing large numbers of unmatched end tags, an attacker can supply specially crafted content that triggers quadratic time complexity during HTML parsing. This behavior may cause disproportionate CPU consumption while processing malicious input, potentially resulting in service degradation or denial-of-service conditions within affected Django applications.
This issue arises from inefficient parsing behavior in Django’s HTML truncation logic, enabling attackers to exploit computationally expensive processing through specially crafted malformed HTML containing excessive unmatched closing tags.
Mitigation
Django versions 3.2 and 4.2 are End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Django.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Seokchan Yoon (finder)
