Vulnerability Description
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Djangoproject | Django | >= 4.2.0, < 4.2.21 |
Related Weaknesses (CWE)
References
- https://docs.djangoproject.com/en/dev/releases/security/Release Notes
- https://groups.google.com/g/django-announceMailing List
- https://www.djangoproject.com/weblog/2025/may/07/security-releases/Vendor Advisory
- http://www.openwall.com/lists/oss-security/2025/05/07/1Mailing ListThird Party Advisory
FAQ
What is CVE-2025-32873?
CVE-2025-32873 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performanc...
How severe is CVE-2025-32873?
CVE-2025-32873 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-32873?
Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django.