955606 – (CVE-2025-32873) <dev-python/django-{4.2.21,5.1.9,5.2.1}: Denial-of-service possibility in ``strip_tags()``

Bug 955606 (CVE-2025-32873) - <dev-python/django-{4.2.21,5.1.9,5.2.1}: Denial-of-service possibility in ``strip_tags()``

Summary: <dev-python/django-{4.2.21,5.1.9,5.2.1}: Denial-of-service possibility in ``s...

Status:	CONFIRMED

Alias:	CVE-2025-32873

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:	955607 955608 955609
Blocks:
	Show dependency tree

Reported:	2025-05-08 04:32 UTC by Michał Górny
Modified:	2025-05-08 04:38 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2025-05-08 04:32:22 UTC

CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
=================================================================

:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
containing large sequences of incomplete HTML tags. This function is used to
implement the :tfilter:`striptags` template filter, which was thus also
vulnerable.

:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
exception if it encounters an unusually large number of unclosed opening tags.