Wiz
Vulnerability DatabaseCVE-2025-32873

CVE-2025-32873
Django vulnerability analysis and mitigation

Overview

A denial-of-service vulnerability (CVE-2025-32873) was discovered in Django's striptags() function, affecting Django versions 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The vulnerability was disclosed on May 7, 2025, and involves the django.utils.html.striptags() function and the striptags template filter being vulnerable to potential denial-of-service through slow performance when processing inputs containing large sequences of incomplete HTML tags (Django Weblog, NVD).

Technical details

The vulnerability exists in the django.utils.html.striptags() function, which experiences performance degradation when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also affected as it is built on top of striptags(). The issue has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L and is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD, Wiz).

Impact

When exploited, this vulnerability can lead to service degradation or unresponsiveness in Django applications that use the strip_tags() function or the striptags template filter. The severity is rated as 'moderate' according to Django's security policy, primarily affecting the availability aspect of the system without compromising confidentiality or integrity (Django Weblog, Wiz).

Mitigation and workarounds

The issue has been fixed in Django versions 5.2.1, 5.1.9, and 4.2.21. The patch implements a security measure where django.utils.html.strip_tags() now raises a SuspiciousOperation exception when encountering an unusually large number of unclosed opening tags. Users are strongly encouraged to upgrade to these patched versions. The fixes are available in the main, 5.2, 5.1, and 4.2 branches of Django (Django Weblog, OSS Security).

Community reactions

The Django security team has classified this vulnerability as 'moderate' severity according to their security policy. The vulnerability was responsibly disclosed by security researcher Elias Myllymäki, and the Django team promptly addressed the issue with security patches (Django Weblog).

Additional resources

SourceThis report was generated using AI

Related Django vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-57833HIGH7.1
  • DjangoDjango
  • python-django
NoYesSep 03, 2025
CVE-2025-27556MEDIUM5.8
  • DjangoDjango
  • django
NoYesApr 02, 2025
CVE-2025-32873MEDIUM5.3
  • DjangoDjango
  • python-django
NoYesMay 08, 2025
CVE-2025-26699MEDIUM5
  • DjangoDjango
  • python3-django4.2-doc
NoYesMar 06, 2025
CVE-2025-48432MEDIUM4
  • DjangoDjango
  • django
NoYesJun 05, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo