The Django team has released Django 5.1.4, Django 5.0.10, and Django 4.2.17 versions to address two security vulnerabilities.
The first vulnerability tracked as CVE-2024-53907 with a CVSS score of 7.5 is a DoS vulnerability in the django.utils.html.strip_tags() method and striptags template filter. According to the advisory, “certain inputs containing large sequences of nested incomplete HTML entities” could trigger this vulnerability.
The second vulnerability tracked as CVE-2024-53908 with a CVSS score of 9.8 is a SQL injection vulnerability affecting the django.db.models.fields.json.HasKey lookup on Oracle databases. The advisory warns that “direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is subject to SQL injection if untrusted data is used as a lhs value.”
The following supported Django versions are impacted
- Django main
- Django 5.1
- Django 5.0
- Django 4.2
Users can obtain the patches from the respective changesets provided in the official security advisory.
The Django team urges all users to prioritize updating their Django installations to the latest secure versions to mitigate the risk posed by these vulnerabilities.
