Search for vulnerabilities
Vulnerability details: VCID-6eh4-7hcj-duft
Vulnerability ID VCID-6eh4-7hcj-duft
Aliases BIT-django-2025-32873
CVE-2025-32873
GHSA-8j24-cjrq-gr2m
PYSEC-2025-37
Summary An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32873.json
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-32873
cvssv3.1 5.3 https://docs.djangoproject.com/en/dev/releases/security
generic_textual MODERATE https://docs.djangoproject.com/en/dev/releases/security
cvssv3.1 5.3 https://docs.djangoproject.com/en/dev/releases/security/
ssvc Track https://docs.djangoproject.com/en/dev/releases/security/
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-8j24-cjrq-gr2m
cvssv3.1 5.3 https://github.com/django/django
generic_textual MODERATE https://github.com/django/django
cvssv3.1 5.3 https://github.com/django/django/commit/9f3419b519799d69f2aba70b9d25abe2e70d03e0
generic_textual MODERATE https://github.com/django/django/commit/9f3419b519799d69f2aba70b9d25abe2e70d03e0
cvssv3.1 5.3 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-37.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-37.yaml
cvssv3.1 5.3 https://groups.google.com/g/django-announce
generic_textual MODERATE https://groups.google.com/g/django-announce
ssvc Track https://groups.google.com/g/django-announce
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2025-32873
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-32873
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-32873
archlinux Medium https://security.archlinux.org/AVG-2876
cvssv3.1 5.3 https://www.djangoproject.com/weblog/2025/may/07/security-releases
generic_textual MODERATE https://www.djangoproject.com/weblog/2025/may/07/security-releases
cvssv3.1 5.3 https://www.djangoproject.com/weblog/2025/may/07/security-releases/
ssvc Track https://www.djangoproject.com/weblog/2025/may/07/security-releases/
cvssv3.1 5.3 http://www.openwall.com/lists/oss-security/2025/05/07/1
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2025/05/07/1
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32873.json
https://api.first.org/data/v1/epss?cve=CVE-2025-32873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32873
https://docs.djangoproject.com/en/dev/releases/security
https://docs.djangoproject.com/en/dev/releases/security/
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/django/django
https://github.com/django/django/commit/9f3419b519799d69f2aba70b9d25abe2e70d03e0
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-37.yaml
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/may/07/security-releases
https://www.djangoproject.com/weblog/2025/may/07/security-releases/
http://www.openwall.com/lists/oss-security/2025/05/07/1
1104872 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104872
2364980 https://bugzilla.redhat.com/show_bug.cgi?id=2364980
ASA-202505-10 https://security.archlinux.org/ASA-202505-10
AVG-2876 https://security.archlinux.org/AVG-2876
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:5.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:5.2:*:*:*:*:*:*:*
CVE-2025-32873 https://nvd.nist.gov/vuln/detail/CVE-2025-32873
GHSA-8j24-cjrq-gr2m https://github.com/advisories/GHSA-8j24-cjrq-gr2m
USN-7501-1 https://usn.ubuntu.com/7501-1/
USN-7501-2 https://usn.ubuntu.com/7501-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32873.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://docs.djangoproject.com/en/dev/releases/security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://docs.djangoproject.com/en/dev/releases/security/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:36:22Z/ Found at https://docs.djangoproject.com/en/dev/releases/security/
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/django/django/commit/9f3419b519799d69f2aba70b9d25abe2e70d03e0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-37.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://groups.google.com/g/django-announce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:36:22Z/ Found at https://groups.google.com/g/django-announce
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-32873
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-32873
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.djangoproject.com/weblog/2025/may/07/security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.djangoproject.com/weblog/2025/may/07/security-releases/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:36:22Z/ Found at https://www.djangoproject.com/weblog/2025/may/07/security-releases/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at http://www.openwall.com/lists/oss-security/2025/05/07/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.01248
EPSS Score 0.00013
Published At May 13, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-05-07T12:02:29.363648+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 36.0.0