Django security releases issued: 5.2.1, 5.1.9 and 4.2.21

CVE-2025-32873: Denial-of-service possibility in strip_tags()

django.utils.html.strip_tags() would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was thus also vulnerable. django.utils.html.strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags.

Thanks to Elias Myllymäki for the report.

This issue has severity "moderate" according to the Django security policy.

Affected supported versions

• Django main
• Django 5.2
• Django 5.1
• Django 4.2

Resolution

Patches to resolve the issue have been applied to Django's main, 5.2, 5.1, and 4.2 branches. The patches may be obtained from the following changesets.

The following releases have been issued

• Django 5.2.1 (download Django 5.2.1 | 5.2.1 checksums)
• Django 5.1.9 (download Django 5.1.9 | 5.1.9 checksums)
• Django 4.2.21 (download Django 4.2.21 | 4.2.21 checksums)

The PGP key ID used for this release is Natalia Bidart: 2EE82A8D9470983E

These releases were built using an upgraded version of setuptools, which produces filenames compliant with PEP 491 and PEP 625, addressing a PyPI warning about non-compliant distribution filenames. This change only affects the Django packaging process and does not impact Django's behavior or functionality.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance, nor via the Django Forum. Please see our security policies for further information.