CVE-2025-48432

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
mitreCNA
4 MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
python-django
bullseye
vulnerable
bullseye (security)
2:2.2.28-1~deb11u7
fixed
bookworm
vulnerable
bookworm (security)
vulnerable
trixie
vulnerable
sid
3:4.2.22-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
plucky
Fixed 3:4.2.18-1ubuntu1.2
released
oracular
Fixed 3:4.2.15-1ubuntu1.5
released
noble
Fixed 3:4.2.11-1ubuntu1.8
released
jammy
Fixed 2:3.2.12-2ubuntu1.19
released
focal
Fixed 2:2.2.12-1ubuntu0.29+esm1
released
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
http://www.openwall.com/lists/oss-security/2025/06/04/5