[5.0.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.

Thanks Elias Myllymäki for the report.

Co-authored-by: Shai Berger <shai@platonix.com>

2 files changed, 18 insertions, 0 deletions

diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt
index d312f8580f..f3fdb0a3cf 100644
--- a/docs/releases/4.2.15.txt
+++ b/docs/releases/4.2.15.txt
@@ -7,6 +7,15 @@ Django 4.2.15 release notes
 Django 4.2.15 fixes three security issues with severity "moderate", one
 security issue with severity "high", and a regression in 4.2.14.
 
+CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+================================================================================
+
+If :tfilter:`floatformat` received a string representation of a number in
+scientific notation with a large exponent, it could lead to significant memory
+consumption.
+
+To avoid this, decimals with more than 200 digits are now returned as is.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt
index 704ecf2c61..c371e4af0b 100644
--- a/docs/releases/5.0.8.txt
+++ b/docs/releases/5.0.8.txt
@@ -7,6 +7,15 @@ Django 5.0.8 release notes
 Django 5.0.8 fixes three security issues with severity "moderate", one security
 issue with severity "high", and several bugs in 5.0.7.
 
+CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``
+================================================================================
+
+If :tfilter:`floatformat` received a string representation of a number in
+scientific notation with a large exponent, it could lead to significant memory
+consumption.
+
+To avoid this, decimals with more than 200 digits are now returned as is.
+
 Bugfixes
 ========