diff --git a/django/utils/html.py b/django/utils/html.py
index 8892b9a740..0f0041f34b 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -41,6 +41,9 @@ VOID_ELEMENTS = frozenset(
MAX_STRIP_TAGS_DEPTH = 50
+# HTML tag that opens but has no closing ">" after 1k+ chars.
+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
+
@keep_lazy(SafeString)
def escape(text):
@@ -207,6 +210,9 @@ def _strip_once(value):
def strip_tags(value):
"""Return the given HTML with all tags stripped."""
value = str(value)
+ for long_open_tag in long_open_tag_without_closing_re.finditer(value):
+ if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
+ raise SuspiciousOperation
# Note: in typical case this loop executes _strip_once twice (the second
# execution does not remove any more tags).
strip_tags_depth = 0
diff --git a/docs/releases/4.2.21.txt b/docs/releases/4.2.21.txt
index 306269a3e7..cc39105a01 100644
--- a/docs/releases/4.2.21.txt
+++ b/docs/releases/4.2.21.txt
@@ -7,6 +7,17 @@ Django 4.2.21 release notes
Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug,
and a regression in 4.2.20.
+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
+containing large sequences of incomplete HTML tags. This function is used to
+implement the :tfilter:`striptags` template filter, which was thus also
+vulnerable.
+
+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
+exception if it encounters an unusually large number of unclosed opening tags.
+
Bugfixes
========
diff --git a/docs/releases/5.1.9.txt b/docs/releases/5.1.9.txt
index dec03a6964..f238ac1f7e 100644
--- a/docs/releases/5.1.9.txt
+++ b/docs/releases/5.1.9.txt
@@ -7,6 +7,17 @@ Django 5.1.9 release notes
Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug,
and a regression in 5.1.8.
+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
+containing large sequences of incomplete HTML tags. This function is used to
+implement the :tfilter:`striptags` template filter, which was thus also
+vulnerable.
+
+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
+exception if it encounters an unusually large number of unclosed opening tags.
+
Bugfixes
========
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 75873061de..78db84e1a1 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -126,17 +126,30 @@ class TestUtilsHtml(SimpleTestCase):
(">br>br>br>X", "XX"),
("<" * 50 + "a>" * 50, ""),
+ (">" + "" + "" * 51, ""
with self.assertRaises(SuspiciousOperation):
strip_tags(value)
+ def test_strip_tags_suspicious_operation_large_open_tags(self):
+ items = [
+ ">" + "