CVE-2018-7537: Incorrect Regular Expression
(updated )
If django.utils.text.Truncator
’s chars()
and words()
methods were passed the html=True
argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars()
and words()methods are used to implement the
truncatechars_htmland
truncatewords_html` template filters, which were thus vulnerable.
References
Detect and mitigate CVE-2018-7537 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →