CVE-2024-27351 — Django ReDoS HIGH
🔴 CISA KEV
pypi
CVSS 7.5 · Django < 4.2.13 → 4.2.13
Django's strip_tags() utility function is vulnerable to ReDoS via specially crafted HTML input. Applications that call strip_tags() on untrusted user input can be brought down by a single malicious string. strip_tags() is commonly used for sanitizing user-submitted content.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| Django | pypi | < 4.2.13 | 4.2.13 | Full fix guide → |
How to fix CVE-2024-27351
- Update Django to 4.2.13 or 5.0.3
- Run pip install -r requirements.txt
- Avoid calling strip_tags() on very large or deeply nested HTML strings from untrusted sources
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2024-27351 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
What is strip_tags() used for?
strip_tags() removes HTML tags from a string, typically used to sanitize user-submitted content before display. It's commonly used in Django views and template tags.
Does this affect all Django versions?
Django 3.2, 4.1, 4.2, and 5.0 are all affected. 4.2.13 and 5.0.3 include the fix. Django 3.2 is end-of-life — upgrade to a supported branch.
Can this take down my Django app?
Yes — a single malicious HTTP request containing a crafted HTML string can cause strip_tags() to spin indefinitely, hanging the worker process.