CVE-2024-38875 Overview
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. The urlize and urlizetrunc template filters were subject to a potential denial of service attack via certain inputs with a very large number of brackets. This vulnerability allows remote attackers to cause resource exhaustion by sending specially crafted input strings that exploit the inefficient parsing behavior of these template filters.
Critical Impact
Remote attackers can cause denial of service by exploiting inefficient bracket parsing in Django's urlize and urlizetrunc template filters, potentially rendering affected web applications unavailable.
Affected Products
- Django versions 4.2 before 4.2.14
- Django versions 5.0 before 5.0.7
- Applications using urlize or urlizetrunc template filters with user-controlled input
Discovery Timeline
- July 9, 2024 - Django Project releases security advisory and patches
- July 10, 2024 - CVE-2024-38875 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-38875
Vulnerability Analysis
This vulnerability is classified as an Algorithmic Complexity Attack (CWE-130: Improper Handling of Length Parameter Inconsistency). The urlize and urlizetrunc template filters in Django are designed to convert URLs in plain text into clickable links. However, the parsing algorithm used to process brackets in user input exhibits poor computational complexity when handling strings with an extremely large number of brackets.
When a malicious input containing thousands or millions of nested or sequential brackets is processed, the algorithm's time complexity grows exponentially, consuming excessive CPU resources. This can lead to application hangs, timeouts, and ultimately denial of service for legitimate users.
Root Cause
The root cause lies in the inefficient handling of bracket characters within the URL parsing logic of urlize and urlizetrunc functions. The algorithm fails to implement proper limits or optimizations when encountering large quantities of bracket characters, leading to excessive processing time and resource consumption. This is a classic example of an algorithmic complexity vulnerability where specially crafted input can trigger worst-case algorithmic behavior.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker needs to identify an endpoint where user input is processed through urlize or urlizetrunc template filters and then submit crafted payloads containing a very large number of bracket characters. Common attack scenarios include:
- Comment forms that render user input using urlize
- User profile descriptions processed with urlizetrunc
- Forum posts or chat messages that auto-link URLs
- Any template rendering user-controlled content with these filters
The attack requires no special privileges and exploits the web application's normal functionality, making it difficult to distinguish from legitimate traffic without specific monitoring.
Detection Methods for CVE-2024-38875
Indicators of Compromise
- Unusual CPU spikes on web application servers during request processing
- Web server timeouts or slow response times correlating with specific request patterns
- Request payloads containing abnormally large numbers of bracket characters ((, ), [, ], {, })
- Error logs showing template rendering timeouts or memory exhaustion
Detection Strategies
- Monitor request payloads for strings containing excessive bracket characters (threshold: >1000 brackets)
- Implement request timeout monitoring to detect abnormally long template rendering times
- Deploy web application firewall (WAF) rules to flag or block requests with suspicious bracket patterns
- Review Django application logs for template rendering errors or timeouts
Monitoring Recommendations
- Enable detailed logging for Django template processing in production environments
- Set up alerting for CPU utilization anomalies on application servers
- Monitor response time metrics and establish baselines to detect degradation
- Track error rates for timeout-related HTTP status codes (504, 503)
How to Mitigate CVE-2024-38875
Immediate Actions Required
- Upgrade Django to version 4.2.14 or later for Django 4.2.x series
- Upgrade Django to version 5.0.7 or later for Django 5.0.x series
- Audit templates using urlize or urlizetrunc filters with user-controlled input
- Implement input length limits on fields processed by affected template filters
Patch Information
The Django Project has released security patches addressing this vulnerability. Patched versions include Django 4.2.14 and Django 5.0.7 or later. Detailed patch information and security release notes are available through the Django Security Release Notes and the Django Blog Security Releases. NetApp has also issued a related advisory at NetApp Security Advisory NTAP-20240808-0005.
Workarounds
- Implement input validation to limit the number of bracket characters in user-submitted content before template processing
- Use custom template filters that sanitize or truncate bracket sequences before calling urlize or urlizetrunc
- Deploy request size limits and timeouts at the web server or reverse proxy level
- Consider disabling urlize and urlizetrunc filters for user-controlled content until patches can be applied
# Upgrade Django to patched version
pip install --upgrade Django>=4.2.14
# Or for Django 5.0 series
pip install --upgrade Django>=5.0.7
# Verify installed version
python -c "import django; print(django.VERSION)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
