From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Tue, 8 Apr 2025 16:30:17 +0200
Subject: [4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in
 strip_tags().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
---
 docs/releases/4.2.21.txt | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'docs')

diff --git a/docs/releases/4.2.21.txt b/docs/releases/4.2.21.txt
index 306269a3e7..cc39105a01 100644
--- a/docs/releases/4.2.21.txt
+++ b/docs/releases/4.2.21.txt
@@ -7,6 +7,17 @@ Django 4.2.21 release notes
 Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug,
 and a regression in 4.2.20.
 
+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
+containing large sequences of incomplete HTML tags. This function is used to
+implement the :tfilter:`striptags` template filter, which was thus also
+vulnerable.
+
+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
+exception if it encounters an unusually large number of unclosed opening tags.
+
 Bugfixes
 ========
 
-- 
cgit v1.3