Package: python-django
Version: 2:2.2.28-1~deb11u6
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2025-48432[0]: Potential log injection via unescaped request path
Internal HTTP response logging used `request.path` directly,
allowing control characters (e.g. newlines or ANSI escape
sequences) to be written unescaped into logs. This could enable
log injection or forgery, letting attackers manipulate log
appearance or structure, especially in logs processed by external
systems or viewed in terminals.
Although this does not directly impact Django's security model, it
poses risks when logs are consumed or interpreted by other tools.
To fix this, the internal `django.utils.log.log_response()`
function now escapes all positional formatting arguments using a
safe encoding.
More info:
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48432
https://www.cve.org/CVERecord?id=CVE-2025-48432
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
