CVE-2025-48432 - log back

CVE-2025-48432 edited at 12 Jun 2025 08:17:31
Description
Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals.
-
- Although this does not directly impact Django's security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function now escapes all positional formatting arguments using a safe encoding.
-
- An initial fix was released in Django 5.1.10; however, it introduced regressions and was superseded by Django 5.1.11, which properly escapes all positional formatting arguments using a safe encoding in django.utils.log.log_response().
CVE-2025-48432 edited at 12 Jun 2025 07:51:40
Description
Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals.
Although this does not directly impact Django's security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function now escapes all positional formatting arguments using a safe encoding.
+
+ An initial fix was released in Django 5.1.10; however, it introduced regressions and was superseded by Django 5.1.11, which properly escapes all positional formatting arguments using a safe encoding in django.utils.log.log_response().
CVE-2025-48432 edited at 12 Jun 2025 07:48:09
References
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path
+ https://docs.djangoproject.com/en/dev/releases/5.1.11/
CVE-2025-48432 edited at 11 Jun 2025 20:58:33
References
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
+ https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path
CVE-2025-48432 created at 04 Jun 2025 21:00:06
Severity
+ Low
Remote
+ Remote
Type
+ Content spoofing
Description
+ Internal HTTP response logging used request.path directly, allowing control characters (e.g. newlines or ANSI escape sequences) to be written unescaped into logs. This could enable log injection or forgery, letting attackers manipulate log appearance or structure, especially in logs processed by external systems or viewed in terminals.
+
+ Although this does not directly impact Django's security model, it poses risks when logs are consumed or interpreted by other tools. To fix this, the internal django.utils.log.log_response() function now escapes all positional formatting arguments using a safe encoding.
References
+ https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
+ https://docs.djangoproject.com/en/dev/releases/5.1.10/#cve-2025-48432-potential-log-injection-via-unescaped-request-path
Notes