CVE-2025-32873 – This vulnerability in Django's strip

Q: What is the severity of CVE-2025-32873?

CVE-2025-32873 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Django's strip_tags() function and striptags template filter allows attackers to cause denial-of-service through slow performance by submitting inputs with large sequences of incomplete HTML tags. It affects Django applications using these functions for HTML sanitization. All Django deployments using vulnerable versions are potentially affected.

📋 TL;DR

This vulnerability in Django's strip_tags() function and striptags template filter allows attackers to cause denial-of-service through slow performance by submitting inputs with large sequences of incomplete HTML tags. It affects Django applications using these functions for HTML sanitization. All Django deployments using vulnerable versions are potentially affected.

💻 Affected Systems

Products:

Django

Versions: Django 4.2 before 4.2.21, Django 5.1 before 5.1.9, Django 5.2 before 5.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when using strip_tags() function or striptags template filter. Applications not using these functions are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion from processing malicious inputs, leading to service disruption for all users.

🟠

Likely Case

Degraded application performance and increased response times when processing user-generated content containing crafted HTML inputs.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place to detect abnormal processing patterns.

🌐 Internet-Facing: MEDIUM - Web applications accepting user input are vulnerable, but exploitation requires specific input patterns and may be detectable.

🏢 Internal Only: LOW - Internal applications typically process trusted content, though risk exists if they accept user input.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTML input to endpoints using vulnerable functions. No authentication needed if vulnerable endpoint is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 4.2.21, Django 5.1.9, Django 5.2.1

Vendor Advisory: https://www.djangoproject.com/weblog/2025/may/07/security-releases/

Restart Required: Yes

Instructions:

1. Check current Django version: python -m django --version. 2. Update using pip: pip install --upgrade Django==[fixed_version]. 3. Restart application server. 4. Test functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement custom input validation to reject or truncate excessively long HTML sequences before processing with strip_tags()

Rate limiting

all

Implement rate limiting on endpoints using strip_tags() to prevent mass exploitation attempts

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block inputs with excessive incomplete HTML tags
Monitor application performance metrics and set alerts for abnormal CPU usage patterns

🔍 How to Verify

Check if Vulnerable:

Check Django version: python -c "import django; print(django.get_version())" and compare against affected versions.

Check Version:

python -c "import django; print(django.get_version())"

Verify Fix Applied:

After patching, verify version is 4.2.21, 5.1.9, or 5.2.1 or higher. Test strip_tags() with sample inputs containing incomplete HTML tags.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for requests containing HTML input
High CPU usage spikes correlated with user input processing

Network Indicators:

Requests containing repeated incomplete HTML tags like '<a' or '<div' patterns

SIEM Query:

source="web_logs" AND (uri="*strip_tags*" OR uri="*striptags*") AND response_time > 5000ms

📊 Metadata

CVE ID: CVE-2025-32873

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-770

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: May 8, 2025

Last Updated: September 2, 2025

🔗 References

https://docs.djangoproject.com/en/dev/releases/security/ Release Notes
https://groups.google.com/g/django-announce Mailing List
https://www.djangoproject.com/weblog/2025/may/07/security-releases/ Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/05/07/1 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32873, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Django by Djangoproject

Django by Djangoproject

Django by Djangoproject

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation and sanitization

Rate limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities