Sunday, May 4, 2025
HomeCVE/vulnerabilityDjango Security Update, Patch for DoS & SQL Injection Vulnerability

Django Security Update, Patch for DoS & SQL Injection Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

 The Django team has issued critical security updates for versions 5.1.4, 5.0.10, and 4.2.17.

These updates address two vulnerabilities: a potential denial-of-service (DoS) attack in the strip_tags() method and a high-severity SQL injection risk in Oracle databases.

All developers and system administrators using affected versions are strongly encouraged to update to the newly released versions to ensure the security of their applications.

- Advertisement - Google News

CVE-2024-53907: Potential Denial-of-Service in strip_tags()

This vulnerability affects the django.utils.html.strip_tags() method and the striptags template filter, which are prone to a DoS attack.

The issue arises in scenarios where these methods handle inputs containing extensive sequences of nested, incomplete HTML entities.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

When such inputs are processed, the application can experience significant performance degradation.

This vulnerability was reported by jiangniao and has been classified as having moderate severity according to Django’s security policy. The affected versions include Django main, 5.1, 5.0, and 4.2.

CVE-2024-53908: Potential SQL Injection in HasKey(lhs, rhs) on Oracle

A second vulnerability was identified in the HasKey lookup, which is part of the django.db.models.fields.json module.

On Oracle databases, this lookup can be exploited for SQL injection if untrusted data is passed as the left-hand side (lhs) value. However, applications using the jsonfield.has_key lookup through the double-underscore (__) syntax remain unaffected.

This vulnerability has been classified as high severity by the Django security team and was reported by Seokchan Yoon. Like the previous issue, affected versions include Django main, 5.1, 5.0, and 4.2.

Affected Supported Versions

The table below details the versions impacted by these vulnerabilities and the corresponding patched versions available in this release:

VersionStatusPatched Version
Django mainAffectedPatched
Django 5.1Affected5.1.4
Django 5.0Affected5.0.10
Django 4.2Affected4.2.17

Resolution and Patches

The Django team has addressed these issues by releasing patches for the main development branch and older supported versions, specifically 5.1, 5.0, and 4.2.

The latest updates—Django 5.1.4, 5.0.10, and 4.2.17—are now available for download. The updates comprehensively resolve the vulnerabilities associated with both CVE-2024-53907 and CVE-2024-53908.

Users can access the patched releases through Django’s official website. The releases were signed with the PGP key belonging to Sarah Boyce (ID: 3955B19851EA96EF).

To mitigate these risks, Django users are advised to update their applications to the latest patched versions immediately.

Additionally, developers should review their codebases for the use of vulnerable methods or lookups, especially on Oracle databases.

Staying informed about future security releases through Django’s official channels is crucial to maintaining the security and stability of applications.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...