CVE-2024-38875 – This vulnerability in Django's urlize and urliz... (How to Fix)

📋 TL;DR

This vulnerability in Django's urlize and urlizetrunc template filters allows attackers to cause denial of service by providing inputs with excessive brackets. It affects Django applications using these template filters, potentially impacting website availability.

💻 Affected Systems

Products:

Django

Versions: Django 4.2 before 4.2.14 and Django 5.0 before 5.0.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using urlize or urlizetrunc template filters.

📦 What is this software?

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion from processing malicious inputs with thousands of brackets.

🟠

Likely Case

Degraded performance or temporary service disruption when attackers exploit this vulnerability.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted input to endpoints using vulnerable template filters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 4.2.14 or 5.0.7

Vendor Advisory: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/

Restart Required: Yes

Instructions:

1. Upgrade Django to version 4.2.14 or 5.0.7 using pip: pip install Django==4.2.14 or pip install Django==5.0.7
2. Restart your Django application server
3. Verify the upgrade was successful

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement input validation to reject or truncate inputs with excessive brackets before processing.

Disable Vulnerable Filters

all

Temporarily disable or replace urlize and urlizetrunc template filters with custom implementations.

🧯 If You Can't Patch

Implement WAF rules to block requests with excessive brackets
Add rate limiting to endpoints using urlize/urlizetrunc filters

🔍 How to Verify

Check if Vulnerable:

Check Django version: python -c "import django; print(django.get_version())"

Check Version:

python -c "import django; print(django.get_version())"

Verify Fix Applied:

Verify Django version is 4.2.14 or higher for 4.2.x, or 5.0.7 or higher for 5.0.x

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for template rendering
High CPU/memory usage spikes

Network Indicators:

Requests containing large numbers of brackets in parameters

SIEM Query:

source="django" AND (message="urlize" OR message="urlizetrunc") AND duration>5s

📊 Metadata

CVE ID: CVE-2024-38875

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-130

Published: July 10, 2024

Last Updated: November 4, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce Permissions Required
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ Vendor Advisory
https://docs.djangoproject.com/en/dev/releases/security/ Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce Permissions Required
https://security.netapp.com/advisory/ntap-20240808-0005/
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38875, you might also want to check these: