5.3

CVE-2025-48432

An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DjangoprojectDjango Version >= 4.2 < 4.2.23
DjangoprojectDjango Version >= 5.1 < 5.1.11
DjangoprojectDjango Version >= 5.2 < 5.2.3
DebianDebian Linux Version11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.6% 0.44
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cve@mitre.org 4 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE-117 Improper Output Neutralization for Logs

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

https://docs.djangoproject.com/en/dev/releases/security/
Vendor Advisory
https://groups.google.com/g/django-announce
Vendor Advisory
https://www.djangoproject.com/weblog/2025/jun/04/security-releases/
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/06/04/5
Third Party Advisory
Mailing List
https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
Release Notes
http://www.openwall.com/lists/oss-security/2025/06/10/2
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2025/06/10/3
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2025/06/10/4
Mailing List