CVE-2023-43665 Overview
CVE-2023-43665 is a Denial of Service (DoS) vulnerability affecting Django's django.utils.text.Truncator class. The chars() and words() methods, when invoked with html=True, are susceptible to resource exhaustion attacks when processing specially crafted, very long, or potentially malformed HTML text. This vulnerability also impacts the truncatechars_html and truncatewords_html template filters that rely on these underlying methods.
This issue represents an incomplete fix for the previously disclosed CVE-2019-14232, indicating that the original mitigation did not fully address all attack vectors related to HTML truncation processing.
Critical Impact
Attackers can cause application-level denial of service by submitting malformed HTML content to endpoints that utilize Django's HTML truncation functionality, potentially rendering web applications unresponsive.
Affected Products
- Django 3.2 before 3.2.22
- Django 4.1 before 4.1.12
- Django 4.2 before 4.2.6
- Fedora 39
Discovery Timeline
- 2023-10-04 - Django Project releases security patches
- 2023-11-03 - CVE-2023-43665 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-43665
Vulnerability Analysis
The vulnerability resides in Django's text truncation utilities designed to safely truncate HTML content while preserving valid markup structure. When the chars() or words() methods of django.utils.text.Truncator are called with the html=True parameter, the implementation attempts to parse and process HTML to determine safe truncation points that maintain tag integrity.
The flaw occurs when these methods receive maliciously crafted input containing very long strings or malformed HTML structures. The parsing logic enters computationally expensive processing paths that consume excessive CPU resources, leading to denial of service conditions. This is an algorithmic complexity attack where the attacker can force the application into worst-case computational scenarios.
Applications using the truncatechars_html and truncatewords_html template filters are particularly at risk, as these are commonly used to display user-generated content summaries in views, RSS feeds, and API responses.
Root Cause
The root cause is improper validation and handling of HTML input length and structure before processing in the Truncator class. The original fix for CVE-2019-14232 did not comprehensively address all edge cases where malformed or excessively long HTML input could trigger algorithmic complexity issues in the HTML parsing logic. The parsing algorithm lacks adequate safeguards against inputs designed to maximize processing time.
Attack Vector
This vulnerability can be exploited remotely over the network without authentication. An attacker can submit HTTP requests containing malicious HTML payloads to any endpoint that processes user input through Django's HTML truncation filters.
The attack is particularly effective when:
- User-submitted content is displayed using truncatechars_html or truncatewords_html filters
- Form submissions or API endpoints accept HTML content that gets truncated
- Content management systems preview or display summaries of user content
The attack mechanism involves crafting HTML input with deeply nested tags, extremely long attribute values, or malformed structures that cause the parsing algorithm to perform excessive backtracking or recursive processing, exhausting server CPU resources.
Detection Methods for CVE-2023-43665
Indicators of Compromise
- Abnormally high CPU utilization on Django application servers without corresponding increase in legitimate traffic
- Slow response times or timeouts on pages that display truncated HTML content
- Web application logs showing requests with unusually large HTML payloads targeting content display endpoints
- Memory consumption spikes associated with HTML parsing operations
Detection Strategies
- Monitor application performance metrics for degradation patterns associated with specific endpoints using HTML truncation
- Implement request payload size logging and alerting for HTML content fields exceeding normal thresholds
- Deploy web application firewall (WAF) rules to detect and block requests with malformed or excessively long HTML structures
- Analyze Django application logs for error patterns related to template rendering timeouts
Monitoring Recommendations
- Configure application performance monitoring (APM) to track CPU usage patterns on template rendering operations
- Set up alerts for response time degradation on views utilizing HTML truncation filters
- Monitor request queue depths and worker process health on application servers
- Implement rate limiting on endpoints that accept user-generated HTML content
How to Mitigate CVE-2023-43665
Immediate Actions Required
- Upgrade Django to patched versions: 3.2.22, 4.1.12, or 4.2.6 or later immediately
- Identify all templates and code paths using truncatechars_html, truncatewords_html, or Truncator with html=True
- Implement input length validation before processing content through HTML truncation functions
- Consider temporarily replacing HTML truncation with plain text truncation (truncatechars, truncatewords) until patching is complete
Patch Information
Django has released security updates addressing this vulnerability. Organizations should upgrade to the following minimum versions:
- Django 3.2.x: Upgrade to 3.2.22 or later
- Django 4.1.x: Upgrade to 4.1.12 or later
- Django 4.2.x: Upgrade to 4.2.6 or later
Patch details and release notes are available at the Django Security Release Notes and the Django Weblog Security Releases.
Fedora users should apply updates via the standard package management system as Fedora has issued corresponding package updates.
Workarounds
- Strip HTML tags from user input before applying truncation using strip_tags() and then use non-HTML truncation filters
- Implement server-side input validation to reject HTML content exceeding reasonable length thresholds
- Use content sanitization libraries to normalize HTML before processing through truncation methods
- Configure web server or reverse proxy timeouts to prevent individual requests from consuming resources indefinitely
# Upgrade Django to patched version
pip install --upgrade Django>=4.2.6
# Verify installed version
python -c "import django; print(django.VERSION)"
# For requirements.txt, update the Django version constraint
# Django>=4.2.6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
