Django 5.1.9 release notes

May 7, 2025

Django 5.1.9 fixes a security issue with severity “moderate”, a data loss bug, and a regression in 5.1.8.

This release was built using an upgraded setuptools, producing filenames compliant with PEP 491 and PEP 625 and thus addressing a PyPI warning about non-compliant distribution filenames. This change only affects the Django packaging process and does not impact Django’s behavior.

CVE-2025-32873: Denial-of-service possibility in strip_tags()

strip_tags() would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was thus also vulnerable.

strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags.

Bugfixes

  • Fixed a data corruption possibility in file_move_safe() when allow_overwrite=True, where leftover content from a previously larger file could remain after overwriting with a smaller one due to lack of truncation (#36298).

  • Fixed a regression in Django 5.1.8, introduced when fixing CVE 2025-26699, where the wordwrap template filter did not preserve empty lines between paragraphs after wrapping text (#36341).

« previous | up | next »