Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 957149 (CVE-2025-48432) - <dev-python/django-{4.2.23,5.1.11,5.2.3}: Potential log injection via unescaped request path
Summary: <dev-python/django-{4.2.23,5.1.11,5.2.3}: Potential log injection via unescap...
Status: CONFIRMED
Alias: CVE-2025-48432
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://docs.djangoproject.com/en/5.2...
Whiteboard: B4 [stable]
Keywords:
Depends on: 957807 957808 957809 957146 957147 957148
Blocks:
  Show dependency tree
 
Reported: 2025-06-05 03:26 UTC by Michał Górny
Modified: 2025-06-11 05:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2025-06-05 03:26:40 UTC
CVE-2025-48432: Potential log injection via unescaped request path

Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals.

Although this does not directly impact Django’s security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function now escapes all positional formatting arguments using a safe encoding.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2025-06-11 05:35:37 UTC
Another round of bugfixes for the same CVE:

Bugfixes
========

* Fixed a log injection possibility by migrating remaining response logging
  to ``django.utils.log.log_response()``, which safely escapes arguments such
  as the request path to prevent unsafe log output (:cve:`2025-48432`).