
oss-sec mailing list archives
Django CVE-2025-48432 (follow-up patch releases)
From: Sarah Boyce <sarahboyce () djangoproject com>
Date: Tue, 10 Jun 2025 15:28:34 +0200
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ Following the June 4, 2025 security release, the Django team is issuing releases for `Django 5.2.3 <https://docs.djangoproject.com/en/dev/releases/5.2.3/>`_, `Django 5.1.11 <https://docs.djangoproject.com/en/dev/releases/5.1.11/>`_, and `Django 4.2.23 <https://docs.djangoproject.com/en/dev/releases/4.2.23/>`_ to complete mitigation for CVE-2025-48432: Potential log injection via unescaped request path (`full description < https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>`_). These follow-up releases migrate remaining response logging paths to a safer logging implementation, ensuring that all untrusted input is properly escaped before being written to logs. This update does not introduce a new CVE but strengthens the original fix. We encourage all users of Django to upgrade as soon as possible. Affected supported versions =========================== * Django main * Django 5.2 * Django 5.1 * Django 4.2 Resolution ========== Patches to resolve the issue have been applied to Django's main, 5.2, 5.1, and 4.2 branches. The patches may be obtained from the following changesets. CVE-2025-48432: Potential log injection via unescaped request path ------------------------------------------------------------------ * On the `main branch < https://github.com/django/django/commit/957951755259b412d5113333b32bf85871d29814/
`__
* On the `5.2 branch < https://github.com/django/django/commit/8fcc83953c350e158a484bf1da0aa1b79b69bb07/
`__
* On the `5.1 branch < https://github.com/django/django/commit/31f4bd31fa16f7f5302f65b9b8b7a49b69a7c4a6/
`__
* On the `4.2 branch < https://github.com/django/django/commit/b597d46bb19c8567615e62029210dab16c70db7d/
`__
The following releases have been issued ======================================= * Django 5.2.3 (`download Django 5.2.3 <https://www.djangoproject.com/download/5.2.3/tarball/>`_ | `5.2.3 checksums <https://www.djangoproject.com/download/5.2.3/checksum/>`_) * Django 5.1.11 (`download Django 5.1.11 <https://www.djangoproject.com/download/5.1.11/tarball/>`_ | `5.1.11 checksums <https://www.djangoproject.com/download/5.1.11/checksum/>`_) * Django 4.2.23 (`download Django 4.2.23 <https://www.djangoproject.com/download/4.2.23/tarball/>`_ | `4.2.23 checksums <https://www.djangoproject.com/download/4.2.23/checksum/>`_) The PGP key ID used for this release is : `3955B19851EA96EF < https://github.com/sarahboyce.gpg>`_
Current thread:
- Django CVE-2025-48432 (follow-up patch releases) Sarah Boyce (Jun 10)
- Re: Django CVE-2025-48432 (follow-up patch releases) Sarah Boyce (Jun 10)
- Re: Django CVE-2025-48432 (follow-up patch releases) Sebastian Pipping (Jun 10)