From a07ebec5591e233d8bbb38b7d63f35c5479eef0e Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Tue, 20 May 2025 15:29:52 -0300 Subject: Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson Co-authored-by: Jake Howard --- docs/releases/4.2.22.txt | 14 ++++++++++++++ docs/releases/5.1.10.txt | 14 ++++++++++++++ docs/releases/5.2.2.txt | 14 ++++++++++++++ 3 files changed, 42 insertions(+) (limited to 'docs') diff --git a/docs/releases/4.2.22.txt b/docs/releases/4.2.22.txt index 83c49b787b..ba3cc33248 100644 --- a/docs/releases/4.2.22.txt +++ b/docs/releases/4.2.22.txt @@ -5,3 +5,17 @@ Django 4.2.22 release notes *June 4, 2025* Django 4.2.22 fixes a security issue with severity "low" in 4.2.21. + +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. diff --git a/docs/releases/5.1.10.txt b/docs/releases/5.1.10.txt index 7f2d4c2499..b5cc1f89a1 100644 --- a/docs/releases/5.1.10.txt +++ b/docs/releases/5.1.10.txt @@ -5,3 +5,17 @@ Django 5.1.10 release notes *June 4, 2025* Django 5.1.10 fixes a security issue with severity "low" in 5.1.9. + +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. diff --git a/docs/releases/5.2.2.txt b/docs/releases/5.2.2.txt index 56efb69bfb..556e5b3d50 100644 --- a/docs/releases/5.2.2.txt +++ b/docs/releases/5.2.2.txt @@ -7,6 +7,20 @@ Django 5.2.2 release notes Django 5.2.2 fixes a security issue with severity "low" and several bugs in 5.2.1. +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. + Bugfixes ======== -- cgit v1.3