fix(deps): update dependency django [security] #9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=80&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==4.2.17->==4.2.21==3.2.25->==4.2.16==2.2.28->==4.2.16>=2.2->>=4.2.21>= 1.10->>=4.2.21BIT-django-2024-56374 / CVE-2024-56374 / GHSA-qcgg-j2x8-h9g8 / PYSEC-2025-1
More information
Details
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Django has a potential denial-of-service vulnerability in IPv6 validation
BIT-django-2024-56374 / CVE-2024-56374 / GHSA-qcgg-j2x8-h9g8 / PYSEC-2025-1
More information
Details
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions
clean_ipv6_addressandis_valid_ipv6_addressare vulnerable, as is thedjango.forms.GenericIPAddressFieldform field. (The django.db.models.GenericIPAddressField model field is not affected.)Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
BIT-django-2025-26699 / CVE-2025-26699 / GHSA-p3fp-8748-vqfq / PYSEC-2025-13
More information
Details
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Django vulnerable to Allocation of Resources Without Limits or Throttling
BIT-django-2025-26699 / CVE-2025-26699 / GHSA-p3fp-8748-vqfq / PYSEC-2025-13
More information
Details
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Django has a denial-of-service possibility in strip_tags()
CVE-2025-32873 / GHSA-8j24-cjrq-gr2m / PYSEC-2025-37
More information
Details
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
CVE-2025-32873 / GHSA-8j24-cjrq-gr2m / PYSEC-2025-37
More information
Details
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. The template filter striptags is also vulnerable, because it is built on top of strip_tags().
Severity
Unknown
References
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Django allows enumeration of user e-mail addresses
BIT-django-2024-45231 / CVE-2024-45231 / GHSA-rrqc-c2jx-6jgv
More information
Details
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to Reflected File Download attack
BIT-django-2022-36359 / CVE-2022-36359 / GHSA-8x94-hmjh-97hq / PYSEC-2022-245
More information
Details
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
django/django (Django)
v4.2.21Compare Source
v4.2.20Compare Source
v4.2.19Compare Source
v4.2.18Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.