summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorNatalia <124304+nessita@users.noreply.github.com>2025-05-20 15:29:52 -0300
committerNatalia <124304+nessita@users.noreply.github.com>2025-06-04 08:33:30 -0300
commita07ebec5591e233d8bbb38b7d63f35c5479eef0e (patch)
tree3a770cfd1708a0be5a198b8300e775ce4e95036d /docs
parent08187c94ed02c45ad40a32244dedeaa7ac71ca87 (diff)
Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.
Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.22.txt14
-rw-r--r--docs/releases/5.1.10.txt14
-rw-r--r--docs/releases/5.2.2.txt14
3 files changed, 42 insertions, 0 deletions
diff --git a/docs/releases/4.2.22.txt b/docs/releases/4.2.22.txt
index 83c49b787b..ba3cc33248 100644
--- a/docs/releases/4.2.22.txt
+++ b/docs/releases/4.2.22.txt
@@ -5,3 +5,17 @@ Django 4.2.22 release notes
*June 4, 2025*
Django 4.2.22 fixes a security issue with severity "low" in 4.2.21.
+
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.
diff --git a/docs/releases/5.1.10.txt b/docs/releases/5.1.10.txt
index 7f2d4c2499..b5cc1f89a1 100644
--- a/docs/releases/5.1.10.txt
+++ b/docs/releases/5.1.10.txt
@@ -5,3 +5,17 @@ Django 5.1.10 release notes
*June 4, 2025*
Django 5.1.10 fixes a security issue with severity "low" in 5.1.9.
+
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.
diff --git a/docs/releases/5.2.2.txt b/docs/releases/5.2.2.txt
index 56efb69bfb..556e5b3d50 100644
--- a/docs/releases/5.2.2.txt
+++ b/docs/releases/5.2.2.txt
@@ -7,6 +7,20 @@ Django 5.2.2 release notes
Django 5.2.2 fixes a security issue with severity "low" and several bugs in
5.2.1.
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.
+
Bugfixes
========