Arch Linux Security Advisory ASA-202505-10 ========================================== Severity: Medium Date : 2025-05-19 CVE-ID : CVE-2025-32873 Package : python-django Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2876 Summary ======= The package python-django before version 5.1.9-1 is vulnerable to denial of service. Resolution ========== Upgrade to 5.1.9-1. # pacman -Syu "python-django>=5.1.9-1" The problem has been fixed upstream in version 5.1.9. Workaround ========== None. Description =========== django.utils.html.strip_tags() would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was thus also vulnerable. django.utils.html.strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags. Impact ====== A remote attacker can exploit inefficient HTML tag parsing in Django’s strip_tags() function to cause excessive CPU usage, leading to a denial of service. This may affect applications that use the striptags template filter to sanitize user-controlled input, making them vulnerable to slowdown or unresponsiveness when handling specially crafted HTML content. References ========== https://www.djangoproject.com/weblog/2025/may/07/security-releases/ https://security.archlinux.org/CVE-2025-32873