CVE-2025-48432: Django Improper Output Neutralization for Logs vulnerability
(updated )
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
References
- docs.djangoproject.com/en/dev/releases/security
- github.com/advisories/GHSA-7xr5-9hcq-chf9
- github.com/django/django
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-47.yaml
- groups.google.com/g/django-announce
- nvd.nist.gov/vuln/detail/CVE-2025-48432
- www.djangoproject.com/weblog/2025/jun/04/security-releases
- www.djangoproject.com/weblog/2025/jun/10/bugfix-releases
Code Behaviors & Features
Detect and mitigate CVE-2025-48432 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →