CVE-2025-32873 is a vulnerability identified in the Django web framework versions 4.2 prior to 4.2.21, 5.1 prior to 5.1.9, and 5.2 prior to 5.2.1. The issue resides in the django.utils.html.strip_tags() function, which is designed to remove HTML tags from input strings. The vulnerability arises because this function does not impose limits or throttling when processing inputs containing large sequences of incomplete or malformed HTML tags. This can lead to excessive resource consumption, causing slow performance or denial-of-service (DoS) conditions. The template filter striptags, which relies on strip_tags(), is also affected. The root cause is classified under CWE-770, which refers to allocation of resources without limits or throttling, allowing an attacker to craft inputs that cause the function to consume disproportionate CPU or memory resources. Exploitation does not require authentication or user interaction, and the attack vector is network-based, as the vulnerable function is commonly used to sanitize user input in web applications. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the potential for availability impact without compromising confidentiality or integrity. No known exploits are currently reported in the wild, but the vulnerability could be leveraged to degrade service availability by sending specially crafted payloads containing large incomplete HTML tag sequences to affected Django applications.

For European organizations, this vulnerability poses a risk primarily to the availability of web applications built on the affected Django versions. Organizations relying on Django for public-facing or internal web services could experience service degradation or outages if attackers exploit this flaw to trigger resource exhaustion. This can disrupt business operations, customer access, and internal workflows. The impact is more significant for high-traffic or critical applications where denial-of-service conditions can cause cascading operational issues. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely directly from this flaw. However, service unavailability can indirectly affect trust and compliance, especially under regulations like GDPR that emphasize service continuity. Organizations in sectors such as finance, healthcare, e-commerce, and government, which often use Django for web applications, may face operational and reputational risks if exploited.

To mitigate this vulnerability, European organizations should promptly upgrade Django to the fixed versions: 4.2.21, 5.1.9, or 5.2.1 or later. If immediate upgrading is not feasible, implement input validation and sanitization at the application or web server level to detect and reject inputs with excessively large or malformed HTML tag sequences before they reach the vulnerable function. Employ web application firewalls (WAFs) with custom rules to identify and block suspicious payloads targeting strip_tags(). Additionally, configure resource limits and timeouts on web application processes to prevent excessive CPU or memory consumption from a single request. Monitoring application performance and logs for unusual spikes in resource usage or slowdowns can help detect exploitation attempts early. Finally, conduct security testing and code reviews to identify any other functions that may be vulnerable to similar resource exhaustion issues.