CVE-2025-48432

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

CVSS v3 4.0 MEDIUM

4.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
http://www.openwall.com/lists/oss-security/2025/06/04/5
http://www.openwall.com/lists/oss-security/2025/06/10/2
http://www.openwall.com/lists/oss-security/2025/06/10/3
http://www.openwall.com/lists/oss-security/2025/06/10/4

Configurations

No configuration.

History

10 Jun 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-05 03:15

Updated : 2025-06-10 18:15

NVD link : CVE-2025-48432

Mitre link : CVE-2025-48432

CVE.ORG link : CVE-2025-48432

JSON object : View

Products Affected

No product.

CWE

CWE-117

Improper Output Neutralization for Logs

{"id": "CVE-2025-48432", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2025-06-05T03:15:25.563", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "source": "cve@mitre.org"}, {"url": "https://groups.google.com/g/django-announce", "source": "cve@mitre.org"}, {"url": "https://www.djangoproject.com/weblog/2025/jun/04/security-releases/", "source": "cve@mitre.org"}, {"url": "https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/04/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/10/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/10/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/06/10/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-117"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Django 5.2 (anterior a la 5.2.2), 5.1 (anterior a la 5.1.10) y 4.2 (anterior a la 4.2.22). El registro interno de respuestas HTTP no escapa a request.path, lo que permite a atacantes remotos manipular la salida del registro mediante URL manipuladas. Esto puede provocar la inyecci\u00f3n o falsificaci\u00f3n de registros cuando estos se visualizan en terminales o son procesados por sistemas externos."}], "lastModified": "2025-06-10T18:15:32.790", "sourceIdentifier": "cve@mitre.org"}