django@4.0rc1 vulnerabilities

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Direct Vulnerabilities

Known vulnerabilities in the django package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in django.utils.text.Truncator.words(), whose performance can be degraded when processing a malicious input involving repeated < characters.

Note:

The function is only vulnerable when html=True is set and the truncatewords_html template filter is in use.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade django to version 3.2.25, 4.2.11, 5.0.3 or higher.

[,3.2.25) [4.0a1,4.2.11) [5.0a1,5.0.3)
  • M
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via the NFKC normalization function in django.contrib.auth.forms.UsernameField. A potential attack can be executed via certain inputs with a very large number of Unicode characters.

Note: This vulnerability is only exploitable on Windows systems.

How to fix Denial of Service (DoS)?

Upgrade django to version 3.2.23, 4.1.13, 4.2.7 or higher.

[,3.2.23) [4.0a1,4.1.13) [4.2a1,4.2.7)
  • H
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) in the django.utils.encoding.uri_to_iri() function when processing inputs with a large number of Unicode characters.

How to fix Denial of Service (DoS)?

Upgrade django to version 3.2.21, 4.1.11, 4.2.5 or higher.

[,3.2.21) [4.0a1,4.1.11) [4.2a1,4.2.5)
  • H
Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the EmailValidator and URLValidator classes, when processing a very large number of domain name labels on emails or URLs.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade django to version 3.2.20, 4.1.10, 4.2.3 or higher.

[,3.2.20) [4.0a1,4.1.10) [4.2a1,4.2.3)
  • H
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) when parsing multipart form data in http/multipartparser.py. An attacker can trigger the opening of a large number of uploaded files which are not subsequently closed, consuming memory or filehandling resources.

How to fix Denial of Service (DoS)?

Upgrade django to version 3.2.18, 4.0.10, 4.1.7 or higher.

[,3.2.18) [4.0a1,4.0.10) [4.1a1,4.1.7)
  • M
Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) when using internationalized URLs, due to locale parameter being interpreted as regular expression.

How to fix Denial of Service (DoS)?

Upgrade django to version 4.1.2, 4.0.8, 3.2.16 or higher.

[4.1a1,4.1.2) [4.0a1,4.0.8) [3.2a1,3.2.16)
  • H
Reflected File Download (RFD)

Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

How to fix Reflected File Download (RFD)?

Upgrade django to version 3.2.15, 4.0.7, 4.1 or higher.

[,3.2.15) [4.0a1,4.0.7) [4.1rc1,4.1)
  • C
SQL Injection

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to SQL Injection via the Trunc(kind) and Extract(lookup_name) arguments, if untrusted data is used as a kind/lookup_name value.

Note: Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Django 4.1 pre-released versions (4.1a1, 4.1a2) are affected by this issue, please avoid using the 4.1 branch until 4.1.0 is released.

How to fix SQL Injection?

Upgrade Django to version 3.2.14, 4.0.6 or higher.

[,3.2.14) [4.0a1,4.0.6)