CVE-2025-48383: Django-Select2 Vulnerable to Widget Instance Secret Cache Key Leaking

May 27, 2025

Instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can secret access tokens across requests. This can allow users to access restricted querysets and restricted data.

References

github.com/advisories/GHSA-wjrh-hj83-3wh7
github.com/codingjoe/django-select2
github.com/codingjoe/django-select2/commit/e5f41e6edba004d35f94915ff5e2559f44853412
github.com/codingjoe/django-select2/security/advisories/GHSA-wjrh-hj83-3wh7
nvd.nist.gov/vuln/detail/CVE-2025-48383

Code Behaviors & Features

Detect and mitigate CVE-2025-48383 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →