CVE-2026-1285: Djangoproject Django DoS Vulnerability

CVE-2026-1285 Overview

A denial-of-service vulnerability has been discovered in Django's text truncation functionality. The django.utils.text.Truncator.chars() and Truncator.words() methods (when used with html=True), as well as the truncatechars_html and truncatewords_html template filters, are susceptible to algorithmic complexity attacks. A remote attacker can exploit this vulnerability by submitting crafted inputs containing a large number of unmatched HTML end tags, causing excessive resource consumption and potential service disruption.

Critical Impact

Remote attackers can cause denial of service on Django applications using HTML truncation features without requiring authentication or user interaction.

Affected Products

• Django 6.0 before 6.0.2
• Django 5.2 before 5.2.11
• Django 4.2 before 4.2.28
• Earlier unsupported Django series (5.0.x, 4.1.x, 3.2.x) may also be affected

Discovery Timeline

• 2026-02-03 - Vulnerability disclosed by Seokchan Yoon
• 2026-02-03 - Django Project releases security patches
• 2026-02-03 - CVE CVE-2026-1285 published to NVD
• 2026-02-04 - Last updated in NVD database

Technical Details for CVE-2026-1285

Vulnerability Analysis

This vulnerability is classified as an Algorithmic Complexity Attack (CWE-407), affecting Django's HTML-aware text truncation functionality. The Truncator class in django.utils.text provides methods to truncate text while preserving HTML structure. When processing HTML content, the truncation logic must parse and track HTML tags to ensure proper tag closure in the output.

The vulnerable methods fail to efficiently handle malformed HTML inputs containing excessive unmatched closing tags. When an attacker submits input with a large number of orphaned </tag> elements, the parsing algorithm experiences degraded performance, leading to excessive CPU consumption and potential denial of service.

Root Cause

The root cause lies in the HTML parsing logic within the Truncator.chars() and Truncator.words() methods when the html=True parameter is enabled. The algorithm attempts to track and balance HTML tags during truncation but lacks adequate safeguards against maliciously crafted inputs with disproportionate numbers of closing tags that have no corresponding opening tags. This creates an algorithmic complexity vulnerability where processing time grows non-linearly with the number of unmatched closing tags.

Attack Vector

This vulnerability is exploitable over the network without authentication or user interaction. An attacker can target any Django application endpoint that processes user-supplied content through the affected template filters (truncatechars_html or truncatewords_html) or directly calls the Truncator methods with HTML mode enabled.

Attack scenarios include:

• Submitting malicious content through web forms that display truncated previews
• Exploiting API endpoints that return truncated HTML summaries
• Targeting content management systems that automatically truncate user-generated content

The attack payload consists of HTML content with a large number of unmatched closing tags (e.g., thousands of </div> or </span> elements), which causes the truncation algorithm to consume excessive CPU resources while attempting to process the malformed structure.

Detection Methods for CVE-2026-1285

Indicators of Compromise

• Unusual CPU spikes on web servers running Django applications
• Slow response times or timeouts on endpoints that truncate user-provided HTML content
• HTTP requests containing abnormally large payloads with repetitive HTML closing tags
• Application logs showing extended processing times for text truncation operations

Detection Strategies

• Monitor web application firewall (WAF) logs for requests containing patterns of repeated HTML closing tags
• Implement rate limiting on endpoints that accept and process HTML content
• Configure application performance monitoring (APM) to alert on abnormal CPU usage patterns
• Analyze HTTP request payloads for unusual ratios of closing tags to opening tags

Monitoring Recommendations

• Deploy SentinelOne Singularity to monitor Django application processes for resource exhaustion patterns
• Establish baseline metrics for typical response times on content truncation endpoints
• Configure alerts for HTTP requests exceeding normal payload sizes on vulnerable endpoints
• Monitor server resource utilization with thresholds appropriate for detecting DoS conditions

How to Mitigate CVE-2026-1285

Immediate Actions Required

• Upgrade Django to the patched versions: 6.0.2, 5.2.11, or 4.2.28 depending on your current series
• If using unsupported Django versions (5.0.x, 4.1.x, 3.2.x), plan an immediate upgrade to a supported series
• Review application code for usage of truncatechars_html, truncatewords_html template filters, or Truncator methods with html=True
• Implement input validation to limit the size and complexity of HTML content processed through truncation functions

Patch Information

Django has released security patches addressing this vulnerability. The fixed versions are:

• Django 6.0.2 for the 6.0.x series
• Django 5.2.11 for the 5.2.x series
• Django 4.2.28 for the 4.2.x series

Detailed information is available in the Django Security Release Notes and the Django Weblog Security Release.

Workarounds

• Avoid using truncatechars_html and truncatewords_html template filters on untrusted user input until patches are applied
• Sanitize HTML input before passing to truncation functions to remove excessive or malformed closing tags
• Implement request size limits and rate limiting on endpoints that process HTML content
• Consider using non-HTML truncation methods (truncatechars, truncatewords) as temporary alternatives where HTML preservation is not critical

# Upgrade Django to patched version
pip install --upgrade Django>=6.0.2  # For Django 6.x
pip install --upgrade Django>=5.2.11  # For Django 5.2.x
pip install --upgrade Django>=4.2.28  # For Django 4.2.x

# Verify installed version
python -c "import django; print(django.VERSION)"