CVE-2024-41989 – This vulnerability in Django's floatformat temp... (How to Fix)

Q: What is the severity of CVE-2024-41989?

CVE-2024-41989 has a CVSS score of 7.5 (HIGH). This vulnerability in Django's floatformat template filter allows attackers to cause denial of service through memory exhaustion by providing specially crafted scientific notation numbers with large exponents. It affects Django applications using the vulnerable template filter with user-controlled input. All Django 5.0 before 5.0.8 and 4.2 before 4.2.15 installations are affected.

📋 TL;DR

This vulnerability in Django's floatformat template filter allows attackers to cause denial of service through memory exhaustion by providing specially crafted scientific notation numbers with large exponents. It affects Django applications using the vulnerable template filter with user-controlled input. All Django 5.0 before 5.0.8 and 4.2 before 4.2.15 installations are affected.

💻 Affected Systems

Products:

Django

Versions: Django 5.0.x before 5.0.8, Django 4.2.x before 4.2.15

Operating Systems: All operating systems running Django

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the floatformat template filter with user-controlled input. The vulnerability is present in default Django installations when this filter is used.

📦 What is this software?

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion, potentially requiring server restart and causing extended downtime.

🟠

Likely Case

Temporary service degradation or unavailability affecting specific endpoints using the floatformat filter with user input.

🟢

If Mitigated

Minimal impact if input validation prevents malicious scientific notation from reaching the filter.

🌐 Internet-Facing: HIGH - Public-facing Django applications can be directly targeted by attackers without authentication.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require attacker access to internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers only need to send specially crafted scientific notation strings to endpoints using the floatformat filter. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 5.0.8 or 4.2.15

Vendor Advisory: https://www.djangoproject.com/weblog/2024/aug/06/security-releases/

Restart Required: Yes

Instructions:

1. Backup your Django application and database. 2. Update Django using pip: 'pip install Django==5.0.8' or 'pip install Django==4.2.15'. 3. Restart your Django application server. 4. Test critical functionality.

🔧 Temporary Workarounds

Input Validation for floatformat

all

Validate and sanitize user input before passing to floatformat filter to reject scientific notation with large exponents.

Disable floatformat Filter

all

Remove or disable usage of the floatformat template filter in templates if not essential.

🧯 If You Can't Patch

Implement strict input validation to reject scientific notation strings with exponents exceeding reasonable bounds (e.g., > 1000).
Deploy rate limiting and request filtering at the web server or WAF level to block suspicious patterns.

🔍 How to Verify

Check if Vulnerable:

Check Django version: 'python -m django --version'. If version is 5.0.x < 5.0.8 or 4.2.x < 4.2.15, you are vulnerable.

Check Version:

python -m django --version

Verify Fix Applied:

After patching, verify version shows 5.0.8 or 4.2.15. Test endpoints using floatformat with normal scientific notation to ensure functionality remains.

📡 Detection & Monitoring

Log Indicators:

Unusual memory consumption spikes
Process termination due to memory limits
Repeated requests with scientific notation patterns

Network Indicators:

HTTP requests containing scientific notation strings with large exponents (e.g., 1e999999)

SIEM Query:

source="web_logs" AND (uri="*floatformat*" OR params="*e[0-9]{5,}*")

📊 Metadata

CVE ID: CVE-2024-41989

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: August 7, 2024

Last Updated: November 4, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Patch,Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce Not Applicable
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ Vendor Advisory
https://security.netapp.com/advisory/ntap-20240905-0007/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41989, you might also want to check these: