CVE-2024-41991 – This vulnerability in Django's urlize/urlizetru... (How to Fix)

Q: What is the severity of CVE-2024-41991?

CVE-2024-41991 has a CVSS score of 7.5 (HIGH). This vulnerability in Django's urlize/urlizetrunc template filters and AdminURLFieldWidget allows attackers to cause denial-of-service by submitting inputs with extremely large numbers of Unicode characters. The affected systems are Django applications using these template filters or the admin widget. This affects Django 5.0 before 5.0.8 and Django 4.2 before 4.2.15.

📋 TL;DR

This vulnerability in Django's urlize/urlizetrunc template filters and AdminURLFieldWidget allows attackers to cause denial-of-service by submitting inputs with extremely large numbers of Unicode characters. The affected systems are Django applications using these template filters or the admin widget. This affects Django 5.0 before 5.0.8 and Django 4.2 before 4.2.15.

💻 Affected Systems

Products:

Django

Versions: Django 5.0 before 5.0.8, Django 4.2 before 4.2.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using urlize, urlizetrunc template filters, or AdminURLFieldWidget. Django applications not using these features are not vulnerable.

📦 What is this software?

Django by Djangoproject

View all CVEs affecting Django →

Django by Djangoproject

View all CVEs affecting Django →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion from processing malicious inputs, potentially affecting all users of the Django application.

🟠

Likely Case

Degraded performance or temporary service disruption affecting specific endpoints using vulnerable template filters.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted inputs to endpoints using vulnerable template filters. No authentication needed if vulnerable endpoints are publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 5.0.8 or 4.2.15

Vendor Advisory: https://www.djangoproject.com/weblog/2024/aug/06/security-releases/

Restart Required: Yes

Instructions:

1. Upgrade Django to version 5.0.8 or 4.2.15 using pip: 'pip install Django==5.0.8' or 'pip install Django==4.2.15'. 2. Restart your Django application server. 3. Test that urlize/urlizetrunc filters and AdminURLFieldWidget still function correctly.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement custom input validation to limit the length of Unicode strings processed by urlize/urlizetrunc filters

Disable Vulnerable Features

all

Temporarily disable or replace urlize/urlizetrunc template filters and AdminURLFieldWidget with custom implementations

🧯 If You Can't Patch

Implement WAF rules to block requests with excessive Unicode characters
Apply rate limiting to endpoints using vulnerable template filters

🔍 How to Verify

Check if Vulnerable:

Check Django version: 'python -m django --version'. If version is 5.0.0-5.0.7 or 4.2.0-4.2.14, and application uses urlize/urlizetrunc filters or AdminURLFieldWidget, it is vulnerable.

Check Version:

python -m django --version

Verify Fix Applied:

After patching, verify Django version is 5.0.8 or 4.2.15, and test that urlize/urlizetrunc filters handle inputs without performance degradation.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for requests using template filters
High CPU/memory usage spikes from Django processes
Requests with extremely long Unicode strings in parameters

Network Indicators:

HTTP requests with abnormally long Unicode payloads to Django endpoints
Sudden increase in request size to template-rendering endpoints

SIEM Query:

source="django" AND (message="urlize" OR message="urlizetrunc") AND request_size>10000

📊 Metadata

CVE ID: CVE-2024-41991

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1284

Published: August 7, 2024

Last Updated: November 4, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Patch,Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce Not Applicable
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ Vendor Advisory
https://security.netapp.com/advisory/ntap-20240905-0007/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41991, you might also want to check these: