CVE-2025-48432 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=5.2 <5.2.2 || >=5.0a1 <5.1.10 || >=0 <4.2.22

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: 0.00031 pctl0.07416

Details

Django Improper Output Neutralization for Logs vulnerability An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

Metadata

Created: 2025-06-05T03:30:58Z
Modified: 2025-06-10T20:03:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-7xr5-9hcq-chf9/GHSA-7xr5-9hcq-chf9.json
CWE IDs: ["CWE-117"]
Alternative ID: GHSA-7xr5-9hcq-chf9
Finding: F091
Auto approve: 1