summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.22.txt14
1 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/4.2.22.txt b/docs/releases/4.2.22.txt
index 83c49b787b..ba3cc33248 100644
--- a/docs/releases/4.2.22.txt
+++ b/docs/releases/4.2.22.txt
@@ -5,3 +5,17 @@ Django 4.2.22 release notes
*June 4, 2025*
Django 4.2.22 fixes a security issue with severity "low" in 4.2.21.
+
+CVE-2025-48432: Potential log injection via unescaped request path
+==================================================================
+
+Internal HTTP response logging used ``request.path`` directly, allowing control
+characters (e.g. newlines or ANSI escape sequences) to be written unescaped
+into logs. This could enable log injection or forgery, letting attackers
+manipulate log appearance or structure, especially in logs processed by
+external systems or viewed in terminals.
+
+Although this does not directly impact Django's security model, it poses risks
+when logs are consumed or interpreted by other tools. To fix this, the internal
+``django.utils.log.log_response()`` function now escapes all positional
+formatting arguments using a safe encoding.
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 21:35:12 +0000