Dependency vulnerability alerts for Django (advisory; requires confirmation).
# Django security dependency alerts Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files. Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades. ### CVE-2024-53907 — Django ReDoS in strip_tags() Context: Catastrophic regex backtracking in strip_tags() can cause denial of service with crafted HTML input. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-53907 WHEN you detect `django` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-53907: django may be vulnerable. Catastrophic regex backtracking in strip_tags() can cause denial of service with crafted HTML input. Patched versions: django >=4.2.17 CHECK for dependency conflicts before proposing any upgrade: Run: `python -m pip show django` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-45230 — Django urlize() XSS Context: The urlize() function can inject unescaped HTML into output when converting URLs in text, allowing XSS attacks. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-45230 WHEN you detect `django` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-45230: django may be vulnerable. The urlize() function can inject unescaped HTML into output when converting URLs in text, allowing XSS attacks. Patched versions: django >=4.2.16 CHECK for dependency conflicts before proposing any upgrade: Run: `python -m pip show django` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-38875 — Django URLValidator ReDoS Context: Specially crafted URLs can cause regex backtracking, leading to excessive CPU consumption and denial of service. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-38875 WHEN you detect `django` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-38875: django may be vulnerable. Specially crafted URLs can cause regex backtracking, leading to excessive CPU consumption and denial of service. Patched versions: django >=4.2.14 CHECK for dependency conflicts before proposing any upgrade: Run: `python -m pip show django` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade ---
# Django security dependency alerts Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files. Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades. ### CVE-2024-53907 — Django ReDoS in strip_tags() Context: Catastrophic regex backtracking in strip_tags() can cause denial of service with crafted HTML input. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-53907 WHEN you detect `django` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-53907: django may be vulnerable. Catastrophic regex backtracking in strip_tags() can cause denial of service with crafted HTML input. Patched versions: django >=4.2.17 CHECK for dependency conflicts before proposing any upgrade: Run: `python -m pip show django` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-45230 — Django urlize() XSS Context: The urlize() function can inject unescaped HTML into output when converting URLs in text, allowing XSS attacks. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-45230 WHEN you detect `django` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-45230: django may be vulnerable. The urlize() function can inject unescaped HTML into output when converting URLs in text, allowing XSS attacks. Patched versions: django >=4.2.16 CHECK for dependency conflicts before proposing any upgrade: Run: `python -m pip show django` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-38875 — Django URLValidator ReDoS Context: Specially crafted URLs can cause regex backtracking, leading to excessive CPU consumption and denial of service. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-38875 WHEN you detect `django` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-38875: django may be vulnerable. Specially crafted URLs can cause regex backtracking, leading to excessive CPU consumption and denial of service. Patched versions: django >=4.2.14 CHECK for dependency conflicts before proposing any upgrade: Run: `python -m pip show django` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade ---