diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2025-05-20 15:29:52 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-06-04 08:33:30 -0300 |
| commit | a07ebec5591e233d8bbb38b7d63f35c5479eef0e (patch) | |
| tree | 3a770cfd1708a0be5a198b8300e775ce4e95036d /docs | |
| parent | 08187c94ed02c45ad40a32244dedeaa7ac71ca87 (diff) | |
Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/4.2.22.txt | 14 | ||||
| -rw-r--r-- | docs/releases/5.1.10.txt | 14 | ||||
| -rw-r--r-- | docs/releases/5.2.2.txt | 14 |
3 files changed, 42 insertions, 0 deletions
diff --git a/docs/releases/4.2.22.txt b/docs/releases/4.2.22.txt index 83c49b787b..ba3cc33248 100644 --- a/docs/releases/4.2.22.txt +++ b/docs/releases/4.2.22.txt @@ -5,3 +5,17 @@ Django 4.2.22 release notes *June 4, 2025* Django 4.2.22 fixes a security issue with severity "low" in 4.2.21. + +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. diff --git a/docs/releases/5.1.10.txt b/docs/releases/5.1.10.txt index 7f2d4c2499..b5cc1f89a1 100644 --- a/docs/releases/5.1.10.txt +++ b/docs/releases/5.1.10.txt @@ -5,3 +5,17 @@ Django 5.1.10 release notes *June 4, 2025* Django 5.1.10 fixes a security issue with severity "low" in 5.1.9. + +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. diff --git a/docs/releases/5.2.2.txt b/docs/releases/5.2.2.txt index 56efb69bfb..556e5b3d50 100644 --- a/docs/releases/5.2.2.txt +++ b/docs/releases/5.2.2.txt @@ -7,6 +7,20 @@ Django 5.2.2 release notes Django 5.2.2 fixes a security issue with severity "low" and several bugs in 5.2.1. +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. + Bugfixes ======== |
