CVE-2024-39614

CVSS 7.5 HIGHEPSS 30.1%CWE-130

In short

Django's language detection function can be overwhelmed by specially crafted long text strings, causing the application to become unresponsive or slow down significantly. This allows attackers to disrupt service without needing special permissions.

Technical detail

The get_supported_language_variant() function in Django 5.0 (<5.0.7) and 4.2 (<4.2.14) is vulnerable to ReDoS (Regular Expression Denial of Service) or algorithmic complexity attacks when processing excessively long strings with specific character patterns. The attack requires no authentication and can be triggered via language preference inputs, resulting in CPU exhaustion and denial of service.

Summary generated and translated by AI from the official description.

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21forum/django-announce https://security.netapp.com/advisory/ntap-20240808-0005/https://www.djangoproject.com/weblog/2024/jul/09/security-releases/