CVE-2025-48432
Log Injection vulnerability in django (PyPI)
What is CVE-2025-48432 About?
This log injection vulnerability in Django allows remote attackers to manipulate internal HTTP response log output through crafted URLs. This can lead to log forgery or injection when logs are viewed or processed by external systems. Exploitation is straightforward, requiring only the creation of a malicious URL.
Affected Software
- django
- <4.2.22
- >5.2, <5.2.2
- >5.0a1, <5.1.10
Technical Details
The vulnerability exists in Django versions 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. It arises because the internal HTTP response logging mechanism does not properly escape the request.path component of a URL before writing it to logs. An attacker can craft a URL containing malicious characters or control sequences within the path. When this crafted URL is accessed, Django logs the unescaped path directly. If log viewing tools or downstream systems interpret these unescaped characters (e.g., ANSI escape codes for terminal manipulation, or format strings for log parsers), it can result in log injection, log forgery, or even terminal manipulation when logs are viewed directly.
What is the Impact of CVE-2025-48432?
Successful exploitation may allow attackers to inject arbitrary data into log files, manipulate log entries, or obscure legitimate log events, hindering incident response and forensic analysis.
What is the Exploitability of CVE-2025-48432?
Exploitation is low complexity, as it primarily involves a remote attacker crafting a malicious URL. No authentication is typically required for a public-facing application endpoint where the URL is processed and logged, nor are any specific privileges needed. The attack is remote, as it requires sending a malformed request to the server. The main condition is that the application logs the request.path and that the logging system or log viewer is susceptible to interpretation of injected control characters. A significant risk factor is when log output directly influences automated systems or is viewed in unhardened terminal environments, increasing the likelihood of successful manipulation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-48432?
About the Fix from Resolved Security
Available Upgrade Options
- django
- <4.2.22 → Upgrade to 4.2.22
- django
- >5.0a1, <5.1.10 → Upgrade to 5.1.10
- django
- >5.2, <5.2.2 → Upgrade to 5.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
- https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases
- https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
- https://osv.dev/vulnerability/GHSA-7xr5-9hcq-chf9
- http://www.openwall.com/lists/oss-security/2025/06/10/3
- http://www.openwall.com/lists/oss-security/2025/06/04/5
- http://www.openwall.com/lists/oss-security/2025/06/04/5
- http://www.openwall.com/lists/oss-security/2025/06/10/3
- https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2025-48432
What are Similar Vulnerabilities to CVE-2025-48432?
Similar Vulnerabilities: CVE-2021-3807 , CVE-2020-8022 , CVE-2019-1000008 , CVE-2018-1000007 , CVE-2017-1000388
