Moderate severityNVD Advisory· Published Jun 5, 2025· Updated Jun 11, 2025
CVE-2025-48432
CVE-2025-48432
Description
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 5.2, < 5.2.2 | 5.2.2 |
DjangoPyPI | >= 5.0a1, < 5.1.10 | 5.1.10 |
DjangoPyPI | < 4.2.22 | 4.2.22 |
Affected products
1- Range: 4.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- github.com/advisories/GHSA-7xr5-9hcq-chf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48432ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/06/04/5ghsaWEB
- www.openwall.com/lists/oss-security/2025/06/10/2ghsaWEB
- www.openwall.com/lists/oss-security/2025/06/10/3ghsaWEB
- www.openwall.com/lists/oss-security/2025/06/10/4ghsaWEB
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-47.yamlghsaWEB
- groups.google.com/g/django-announceghsaWEB
- www.djangoproject.com/weblog/2025/jun/04/security-releasesghsaWEB
- www.djangoproject.com/weblog/2025/jun/10/bugfix-releasesghsaWEB
- docs.djangoproject.com/en/dev/releases/security/mitre
- www.djangoproject.com/weblog/2025/jun/04/security-releases/mitre
- www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/mitre
News mentions
0No linked articles in our index yet.