CVE-2025-48432: An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape...

4.0 CVSS

Description

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

Classification

CVE ID: CVE-2025-48432

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Problem Types

CWE-117 Improper Output Neutralization for Logs

Affected Products

Vendor: djangoproject

Product: Django

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.57% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48432
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/

Timeline

2025-06-05 03:40:16 UTC
CVE

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape...
2025-06-06 16:15:32 UTC
Github Advisory Database (PIP)

[Django] Django Improper Output Neutralization for Logs vulnerability