CVE-2023-43665
📋 TL;DR
This vulnerability in Django's text truncation functions allows attackers to cause denial of service by sending specially crafted HTML input. When django.utils.text.Truncator methods (chars() and words()) are used with html=True, certain malformed HTML with extremely long text can trigger excessive resource consumption. This affects Django applications using truncatechars_html or truncatewords_html template filters.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion (CPU/memory) from repeated exploitation, potentially requiring server restart.
Likely Case
Degraded performance or temporary service disruption affecting users of pages using vulnerable template filters.
If Mitigated
Minimal impact with proper input validation and rate limiting in place.
🎯 Exploit Status
Exploitation requires sending malformed HTML to endpoints using vulnerable template filters. This is a continuation of CVE-2019-14232 with incomplete fix.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Django 3.2.22, 4.1.12, and 4.2.6
Vendor Advisory: https://docs.djangoproject.com/en/4.2/releases/security/
Restart Required: Yes
Instructions:
1. Check current Django version with 'python -m django --version'. 2. Upgrade using pip: 'pip install --upgrade Django==3.2.22' or appropriate version. 3. Restart all Django processes and web servers. 4. Test application functionality.
🔧 Temporary Workarounds
Disable vulnerable template filters
allRemove or replace truncatechars_html and truncatewords_html template filters in templates with safe alternatives.
Input validation and sanitization
allImplement strict input validation to reject or sanitize HTML content before processing.
🧯 If You Can't Patch
- Implement WAF rules to block requests with extremely long HTML content
- Add rate limiting to endpoints using vulnerable template filters
🔍 How to Verify
Check if Vulnerable:
Check Django version and verify if truncatechars_html or truncatewords_html filters are used in templates.Check Version:
python -m django --versionVerify Fix Applied:
Confirm Django version is 3.2.22, 4.1.12, or 4.2.6 or higher, and test template filters with sample HTML input.📡 Detection & Monitoring
Log Indicators:
- Unusually long processing times for requests, high CPU/memory usage spikes, repeated requests with large HTML payloads
Network Indicators:
- HTTP requests containing extremely long HTML content to endpoints using template filters
SIEM Query:
source="web_logs" AND (uri="*truncate*" OR user_agent="*malicious*") AND content_length>10000🔗 References
- http://www.openwall.com/lists/oss-security/2024/03/04/1
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://security.netapp.com/advisory/ntap-20231221-0001/
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
- http://www.openwall.com/lists/oss-security/2024/03/04/1
- https://docs.djangoproject.com/en/4.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D/
- https://security.netapp.com/advisory/ntap-20231221-0001/
- https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
