CVE-2025-48432

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-48432
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

4.0 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
http://www.openwall.com/lists/oss-security/2025/06/04/5
http://www.openwall.com/lists/oss-security/2025/06/10/2
http://www.openwall.com/lists/oss-security/2025/06/10/3
http://www.openwall.com/lists/oss-security/2025/06/10/4
Configurations

No configuration.

History

10 Jun 2025, 18:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/06/10/4 -

10 Jun 2025, 17:24

Type Values Removed Values Added
Summary (en) An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. (en) An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
References
  • () https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/ -
  • () http://www.openwall.com/lists/oss-security/2025/06/10/2 -
  • () http://www.openwall.com/lists/oss-security/2025/06/10/3 -

05 Jun 2025, 20:12

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en Django 5.2 (anterior a la 5.2.2), 5.1 (anterior a la 5.1.10) y 4.2 (anterior a la 4.2.22). El registro interno de respuestas HTTP no escapa a request.path, lo que permite a atacantes remotos manipular la salida del registro mediante URL manipuladas. Esto puede provocar la inyección o falsificación de registros cuando estos se visualizan en terminales o son procesados por sistemas externos.

05 Jun 2025, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-05 03:15

Updated : 2025-06-10 18:15

NVD link : CVE-2025-48432

Mitre link : CVE-2025-48432

CVE.ORG link : CVE-2025-48432

JSON object : View

Products Affected

No product.

CWE
CWE-117

Improper Output Neutralization for Logs