CVE-2024-41991 Overview
CVE-2024-41991 is a denial-of-service vulnerability affecting Django 5.0 before 5.0.8 and Django 4.2 before 4.2.15. The flaw resides in the urlize and urlizetrunc template filters and the AdminURLFieldWidget widget. Attackers can submit inputs containing a very large number of Unicode characters to trigger excessive processing. This exhausts CPU and memory resources on the affected Django application server. The vulnerability is network-exploitable, requires no authentication, and no user interaction. Django is a widely deployed Python web framework, so the exposure surface across web applications and admin interfaces is significant.
Critical Impact
Remote unauthenticated attackers can degrade or disable Django applications by submitting Unicode-heavy inputs to vulnerable template filters or the admin URL widget.
Affected Products
- Django 5.0 prior to 5.0.8
- Django 4.2 prior to 4.2.15
- Applications using urlize, urlizetrunc, or AdminURLFieldWidget
Discovery Timeline
- 2024-08-06 - Django project publishes security release advisory
- 2024-08-07 - CVE-2024-41991 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-41991
Vulnerability Analysis
The vulnerability is a denial-of-service issue rooted in inefficient processing of Unicode-heavy inputs. It is categorized under [CWE-1284] Improper Validation of Specified Quantity in Input and [CWE-130] Improper Handling of Length Parameter Inconsistency. The urlize and urlizetrunc template filters convert plain-text URLs and email addresses into clickable HTML links. The AdminURLFieldWidget renders URL form fields inside the Django admin interface. Each of these components performs Unicode-aware parsing and link detection on user-supplied content.
When an input contains a very large number of Unicode characters, the parsing logic consumes disproportionate CPU and memory. A single request can stall a worker thread or process, and repeated requests amplify the impact across the application. The result is loss of availability for the Django service without affecting confidentiality or integrity.
Root Cause
The root cause is the absence of input-size or complexity bounds in the Unicode handling path of the affected filters and widget. Length validation does not account for the additional cost of processing multi-byte Unicode sequences during link detection and HTML escaping.
Attack Vector
An unauthenticated remote attacker submits a crafted payload to any endpoint that renders content through urlize or urlizetrunc, or to an admin form using AdminURLFieldWidget. The payload contains a large block of Unicode characters designed to maximize processing time. No credentials, privileges, or user interaction are required.
No verified public exploit code is available. Refer to the Django Weblog Security Releases for the authoritative technical description.
Detection Methods for CVE-2024-41991
Indicators of Compromise
- HTTP requests containing abnormally large bodies with high Unicode character density targeting endpoints that render urlize or urlizetrunc output
- Spikes in CPU and memory consumption on Django worker processes correlated with specific request URIs
- Increased request latency or worker timeouts on admin URL fields
Detection Strategies
- Inspect web application logs for repeated POST or GET requests with payload sizes that exceed typical baselines for text fields
- Correlate Django application metrics (request duration, worker restarts) with inbound traffic patterns to identify resource-exhaustion attempts
- Apply web application firewall rules that flag inputs containing excessive non-ASCII or combining-character sequences
Monitoring Recommendations
- Track per-endpoint p95 and p99 response times, especially for views and admin pages that handle URL fields
- Monitor process-level CPU and memory for Gunicorn, uWSGI, or ASGI workers serving Django
- Alert on sustained worker saturation or repeated WORKER TIMEOUT events in application logs
How to Mitigate CVE-2024-41991
Immediate Actions Required
- Upgrade Django to 5.0.8 or 4.2.15 or later as published in the Django Security Releases
- Inventory all applications using urlize, urlizetrunc, or AdminURLFieldWidget and prioritize patching internet-facing services
- Apply request size limits at the reverse proxy or load balancer to bound input length before it reaches Django
Patch Information
The Django project released fixed versions 5.0.8 and 4.2.15 on August 6, 2024. Refer to the Django Security Releases Documentation and the NetApp Security Advisory NTAP-20240905-0007 for vendor-specific guidance.
Workarounds
- Restrict access to admin interfaces using AdminURLFieldWidget via network controls or authentication proxies until patching is complete
- Remove or replace urlize and urlizetrunc filters on user-controlled content in public templates where feasible
- Enforce strict maximum length validation on form fields that feed into the affected filters or widget
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
