Django CVEs 2024 — Complete Security Release List

Updated March 2026 · PackageFix · Safe version: 5.1.4+ or 4.2.17+

Django had 14 security releases in 2024 — the most active year for Django CVEs in recent history. Highlights include a CRITICAL SQL injection (CVE-2024-42005) and multiple ReDoS vulnerabilities in template filters. This page covers every CVE with the exact patch version.

All Django 2024 CVEs

CVE	Year	Severity	Description	Fix
CVE-2024-24680	2024	HIGH	ReDoS via intcomma template filter	Fixed 4.2.10
CVE-2024-27351	2024	HIGH	ReDoS via strip_tags() HTML sanitizer — CISA KEV	Fixed 4.2.11
CVE-2024-38875	2024	HIGH	ReDoS via urlize and urlizetrunc filters	Fixed 4.2.14
CVE-2024-39329	2024	MEDIUM	Username enumeration via timing attack	Fixed 4.2.14
CVE-2024-39330	2024	HIGH	Path traversal via python-dotenv	Fixed 4.2.14
CVE-2024-39614	2024	MEDIUM	DoS via large number of headers	Fixed 4.2.14
CVE-2024-41989	2024	HIGH	Memory exhaustion via large floatformat filter	Fixed 4.2.15
CVE-2024-41990	2024	MEDIUM	DoS via urlize filter with long URLs	Fixed 4.2.15
CVE-2024-41991	2024	HIGH	ReDoS via urlize filter	Fixed 4.2.15
CVE-2024-42005	2024	CRITICAL	SQL injection via QuerySet.values() and values_list()	Fixed 4.2.15
CVE-2024-45230	2024	HIGH	ReDoS via urlfield validation	Fixed 4.2.16
CVE-2024-45231	2024	MEDIUM	Username enumeration via password reset	Fixed 4.2.16
CVE-2024-53907	2024	HIGH	DoS via large multipart upload	Fixed 4.2.17
CVE-2024-53908	2024	HIGH	SQL injection via HasKey lookup on Oracle	Fixed 4.2.17

Current safe versions

Fix

# Django 4.2 LTS (supported until April 2026)
Django==4.2.17

# Django 5.1 (latest)
Django==5.1.4

# Update
pip install Django==5.1.4
# Verify
python -c "import django; print(django.__version__)"

The CRITICAL CVE: SQL injection via QuerySet.values()

CVE-2024-42005 (CVSS CRITICAL) allows SQL injection via QuerySet.values() and values_list() with user-controlled field names. Any Django application that passes user input as field names to these queryset methods is vulnerable. This was patched in Django 4.2.15 and 5.0.8 released in August 2024.

Example of vulnerable code pattern:

# VULNERABLE - field name from user input
fields = request.GET.getlist("fields")
MyModel.objects.values(*fields)

# SAFE - allowlist field names
ALLOWED_FIELDS = {"name", "email", "created_at"}
fields = [f for f in request.GET.getlist("fields") if f in ALLOWED_FIELDS]
MyModel.objects.values(*fields)

The ReDoS pattern in 2024

Six of Django's 2024 CVEs are ReDoS vulnerabilities in template filters — intcomma, strip_tags, urlize, urlizetrunc, and urlfield. Django uses regex for text processing in these filters. A crafted string passed to any of these filters can cause the template engine to hang. Most are fixed by replacing backtracking regex with linear-time alternatives.

Paste your manifest — get the exact safe version instantly.

Scan with PackageFix →

Free · No signup · No CLI

Common questions

Which Django version should I use in 2026?

Django 5.1 is the current version (LTS candidate). Django 4.2 LTS is supported until April 2026. If you are on Django 3.x or earlier, upgrade immediately - all older versions are end of life with no security patches.

How often does Django release security patches?

Django's security team releases patches for all supported versions simultaneously, usually within a week of vulnerability disclosure. Subscribe to django-announce@googlegroups.com for notifications.

Is CVE-2024-42005 easy to exploit?

It requires passing user-controlled input as field names to QuerySet.values() or values_list(). This is an unusual pattern but not impossible. Search your codebase for .values() calls that use request data as field names.