diff options
Diffstat (limited to 'docs/releases/5.2.2.txt')
| -rw-r--r-- | docs/releases/5.2.2.txt | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/5.2.2.txt b/docs/releases/5.2.2.txt index 56efb69bfb..556e5b3d50 100644 --- a/docs/releases/5.2.2.txt +++ b/docs/releases/5.2.2.txt @@ -7,6 +7,20 @@ Django 5.2.2 release notes Django 5.2.2 fixes a security issue with severity "low" and several bugs in 5.2.1. +CVE-2025-48432: Potential log injection via unescaped request path +================================================================== + +Internal HTTP response logging used ``request.path`` directly, allowing control +characters (e.g. newlines or ANSI escape sequences) to be written unescaped +into logs. This could enable log injection or forgery, letting attackers +manipulate log appearance or structure, especially in logs processed by +external systems or viewed in terminals. + +Although this does not directly impact Django's security model, it poses risks +when logs are consumed or interpreted by other tools. To fix this, the internal +``django.utils.log.log_response()`` function now escapes all positional +formatting arguments using a safe encoding. + Bugfixes ======== |