oss-sec mailing list archives

Django CVE-2025-48432 (follow-up patch releases)

From: Sarah Boyce <sarahboyce () djangoproject com>
Date: Tue, 10 Jun 2025 15:28:34 +0200

https://www.djangoproject.com/weblog/2025/jun/04/security-releases/

Following the June 4, 2025 security release, the Django team is issuing
releases for
`Django 5.2.3 <https://docs.djangoproject.com/en/dev/releases/5.2.3/>`_,
`Django 5.1.11 <https://docs.djangoproject.com/en/dev/releases/5.1.11/>`_,
and
`Django 4.2.23 <https://docs.djangoproject.com/en/dev/releases/4.2.23/>`_ to
complete mitigation for CVE-2025-48432: Potential log injection via
unescaped
request path (`full description <
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/>`_).

These follow-up releases migrate remaining response logging paths to a safer
logging implementation, ensuring that all untrusted input is properly
escaped
before being written to logs. This update does not introduce a new CVE but
strengthens the original fix.

We encourage all users of Django to upgrade as soon as possible.

Affected supported versions
===========================

* Django main
* Django 5.2
* Django 5.1
* Django 4.2

Resolution
==========

Patches to resolve the issue have been applied to Django's
main, 5.2, 5.1, and 4.2 branches.
The patches may be obtained from the following changesets.

CVE-2025-48432: Potential log injection via unescaped request path
------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/957951755259b412d5113333b32bf85871d29814/

`__

* On the `5.2 branch <
https://github.com/django/django/commit/8fcc83953c350e158a484bf1da0aa1b79b69bb07/

`__

* On the `5.1 branch <
https://github.com/django/django/commit/31f4bd31fa16f7f5302f65b9b8b7a49b69a7c4a6/

`__

* On the `4.2 branch <
https://github.com/django/django/commit/b597d46bb19c8567615e62029210dab16c70db7d/

`__



The following releases have been issued
=======================================

* Django 5.2.3 (`download Django 5.2.3
  <https://www.djangoproject.com/download/5.2.3/tarball/>`_ |
  `5.2.3 checksums
  <https://www.djangoproject.com/download/5.2.3/checksum/>`_)
* Django 5.1.11 (`download Django 5.1.11
  <https://www.djangoproject.com/download/5.1.11/tarball/>`_ |
  `5.1.11 checksums
  <https://www.djangoproject.com/download/5.1.11/checksum/>`_)
* Django 4.2.23 (`download Django 4.2.23
  <https://www.djangoproject.com/download/4.2.23/tarball/>`_ |
  `4.2.23 checksums
  <https://www.djangoproject.com/download/4.2.23/checksum/>`_)

The PGP key ID used for this release is : `3955B19851EA96EF <
https://github.com/sarahboyce.gpg>`_

Current thread:

Django CVE-2025-48432 (follow-up patch releases) Sarah Boyce (Jun 10)
- Re: Django CVE-2025-48432 (follow-up patch releases) Sarah Boyce (Jun 10)
- Re: Django CVE-2025-48432 (follow-up patch releases) Sebastian Pipping (Jun 10)