{"id":"CVE-2018-7537","details":"An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.","aliases":["GHSA-2f9x-5v75-3qv4","PYSEC-2018-6"],"modified":"2026-04-16T06:15:21.603878744Z","published":"2018-03-09T20:29:00.660Z","related":["SUSE-SU-2018:0973-1","SUSE-SU-2018:1102-1","SUSE-SU-2018:1828-1","SUSE-SU-2018:1830-1","openSUSE-SU-2018:0651-1","openSUSE-SU-2023:0077-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/103357"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0265"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3591-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4161"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2018/mar/06/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"6a0dc2176f4ebf907e124d433411e52bba39a28e"},{"fixed":"c686dd8e6bb3817bcf04b8f13c025b4d3c3dc6dc"},{"introduced":"c669cf279ae7b3e02a61db4fb077030a4db80e4f"},{"fixed":"1cc5aceac0a73468a6d1a671b9c86423e5bcf011"},{"introduced":"8c85c8692240e5ae4b568eb4272475fe1fa4b059"},{"fixed":"2d73ffc6f96e399716a1ed3f58acd4e99afa3d33"}],"database_specific":{"versions":[{"introduced":"1.8"},{"fixed":"1.8.19"},{"introduced":"1.11"},{"fixed":"1.11.11"},{"introduced":"2.0"},{"fixed":"2.0.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-7537.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"17.10"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}