CVE-2024-27351 is a Regular Expression Denial of Service (ReDoS) vulnerability found in the Django web framework, specifically in the django.utils.text.Truncator.words() method when invoked with the html=true parameter, and the truncatewords_html template filter. This vulnerability exists in Django versions before 3.2.25, 4.2.11, and 5.0.3. The root cause is an incomplete remediation of earlier vulnerabilities (CVE-2019-14232 and CVE-2023-43665) that also involved ReDoS issues in the same code paths. The vulnerability allows an attacker to supply a crafted string that triggers catastrophic backtracking in the regular expression engine, causing excessive CPU consumption and potentially leading to denial of service by exhausting server resources. The attack vector is remote (network), requires no privileges, but does require user interaction (e.g., submitting crafted input to a vulnerable web application). The CVSS v3.1 score is 5.3 (medium), reflecting the limited scope of impact to availability only, with no confidentiality or integrity effects. No known exploits have been reported in the wild yet, but the vulnerability poses a risk to any Django-based web application that uses the affected methods with untrusted input. The vulnerability is categorized under CWE-1333 (Regular Expression Denial of Service).

For European organizations, the primary impact of CVE-2024-27351 is the potential for denial of service attacks against web applications built on vulnerable Django versions. This can lead to service outages, degraded user experience, and potential reputational damage. Organizations relying on Django for critical web services, especially those processing user-generated content with the truncatewords_html filter or Truncator.words(html=true), are at risk of resource exhaustion attacks. While the vulnerability does not compromise data confidentiality or integrity, availability disruptions can affect business continuity and customer trust. Sectors with high web traffic or public-facing applications, such as e-commerce, government portals, and financial services, may be particularly vulnerable. Additionally, the need for user interaction means phishing or social engineering could be used to lure users into triggering the attack. Given the widespread use of Django in Europe, failure to patch could expose organizations to targeted or opportunistic ReDoS attacks.

The most effective mitigation is to upgrade Django to versions 3.2.25, 4.2.11, or 5.0.3 or later, where the vulnerability is fully addressed. Organizations should audit their codebases to identify usage of django.utils.text.Truncator.words() with html=true and the truncatewords_html template filter, especially in contexts processing untrusted input. Input validation and sanitization should be enhanced to reject or safely handle suspiciously crafted strings that might trigger ReDoS. Implementing web application firewalls (WAFs) with rules to detect and block malicious payloads targeting regular expression engines can provide additional protection. Monitoring application performance metrics and logs for unusual CPU spikes or slowdowns can help detect exploitation attempts early. For critical services, consider rate limiting and user interaction controls to reduce exposure. Finally, educating developers about secure use of regular expressions and avoiding complex patterns on untrusted input is recommended to prevent similar issues.