CVE-2025-48432Improper Output Neutralization for Logs in Django

CWE-117Improper Output Neutralization for Logs9 documents7 sources
Severity
5.3MEDIUMNVD
CNA4.0
EPSS
0.4%
top 38.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Djangoproject DjangoDebian Linux
Timeline
PublishedJun 5

Description

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

CVEListV5djangoproject/django4.24.2.23+2
NVDdjangoproject/django4.24.2.23+2
PyPIdjangoproject/django5.25.2.2+4

Also affects: Debian Linux 11.0

🔴Vulnerability Details

5
GHSA
Django Improper Output Neutralization for Logs vulnerability2025-06-05
OSV
CVE-2025-48432: An issue was discovered in Django 52025-06-05
OSV
CVE-2025-48432: An issue was discovered in Django 52025-06-05
CVEList
CVE-2025-48432: An issue was discovered in Django 52025-06-05
OSV
Django Improper Output Neutralization for Logs vulnerability2025-06-05

📋Vendor Advisories

3
Red Hat
django: Django Path Injection Vulnerability2025-06-05
Ubuntu
Django vulnerability2025-06-04
Debian
CVE-2025-48432: python-django - An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 b...2025
CVE-2025-48432 — Djangoproject Django vulnerability | cvebase