[4.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.

Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.

To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.

Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.

Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>

Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.

1 files changed, 14 insertions, 0 deletions

diff --git a/docs/releases/4.2.22.txt b/docs/releases/4.2.22.txt
index 83c49b787b..ba3cc33248 100644
--- a/docs/releases/4.2.22.txt
+++ b/docs/releases/4.2.22.txt
@@ -5,3 +5,17 @@ Django 4.2.22 release notes
 *June 4, 2025*
 
 Django 4.2.22 fixes a security issue with severity "low" in 4.2.21.
+
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.