957149 – (CVE-2025-48432) <dev-python/django-{4.2.22,5.1.10,5.2.2}: Potential log injection via unescaped request path

Bug 957149 (CVE-2025-48432) - <dev-python/django-{4.2.22,5.1.10,5.2.2}: Potential log injection via unescaped request path

Summary: <dev-python/django-{4.2.22,5.1.10,5.2.2}: Potential log injection via unescap...

Status:	CONFIRMED

Alias:	CVE-2025-48432

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://docs.djangoproject.com/en/5.2...
Whiteboard:	B4 [stable]
Keywords:

Depends on:	957148 957146 957147
Blocks:
	Show dependency tree

Reported:	2025-06-05 03:26 UTC by Michał Górny
Modified:	2025-06-05 08:05 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2025-06-05 03:26:40 UTC

CVE-2025-48432: Potential log injection via unescaped request path

Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals.

Although this does not directly impact Django’s security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function now escapes all positional formatting arguments using a safe encoding.