CVE-2025-48432

Description

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

CVSS Metrics

• v3.1•MEDIUM•Score: 4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
• v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 0.41%• Percentile: 62%

Techniques & Countermeasures

• CWE-117•Improper Output Neutralization for Logs

  The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

Affected Systems

• debian•debian_linux

  11.0

• djangoproject•django

  ≥ 4.2, < 4.2.23 | ≥ 5.1, < 5.1.11 | ≥ 5.2, < 5.2.3

• PyPI•django

  ≥ 4.2, < 4.2.22 | ≥ 5.2, < 5.2.2 | ≥ 5.0a1, < 5.1.10 | < 4.2.22

References (14)

• https://docs.djangoproject.com/en/dev/releases/security/
• https://groups.google.com/g/django-announce
• https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
• https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
• http://www.openwall.com/lists/oss-security/2025/06/04/5
• http://www.openwall.com/lists/oss-security/2025/06/10/2
• http://www.openwall.com/lists/oss-security/2025/06/10/3
• http://www.openwall.com/lists/oss-security/2025/06/10/4
• https://nvd.nist.gov/vuln/detail/CVE-2025-48432
• https://docs.djangoproject.com/en/dev/releases/security
• https://github.com/django/django
• https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-47.yaml
• https://www.djangoproject.com/weblog/2025/jun/04/security-releases
• https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases