Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.

Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
author: Natalia <124304+nessita@users.noreply.github.com> 2025-05-20 15:29:52 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2025-06-04 08:33:30 -0300
commit: a07ebec5591e233d8bbb38b7d63f35c5479eef0e (patch)
tree: 3a770cfd1708a0be5a198b8300e775ce4e95036d /django/utils/log.py
parent: 08187c94ed02c45ad40a32244dedeaa7ac71ca87 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/django/utils/log.py b/django/utils/log.py
index a25b97a7d5..67a40270f0 100644
--- a/django/utils/log.py
+++ b/django/utils/log.py
@@ -245,9 +245,14 @@ def log_response(
         else:
             level = "info"
 
+    escaped_args = tuple(
+        a.encode("unicode_escape").decode("ascii") if isinstance(a, str) else a
+        for a in args
+    )
+
     getattr(logger, level)(
         message,
-        *args,
+        *escaped_args,
         extra={
             "status_code": response.status_code,
             "request": request,
author	Natalia <124304+nessita@users.noreply.github.com>	2025-05-20 15:29:52 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2025-06-04 08:33:30 -0300
commit	a07ebec5591e233d8bbb38b7d63f35c5479eef0e (patch)
tree	3a770cfd1708a0be5a198b8300e775ce4e95036d /django/utils/log.py
parent	08187c94ed02c45ad40a32244dedeaa7ac71ca87 (diff)