CVE-2025-48383: 
Python vulnerability analysis and mitigation

Django-Select2, a Django integration for Select2, was found to contain a security vulnerability (CVE-2025-48383) affecting versions prior to 8.4.1. The vulnerability was discovered and disclosed on May 26, 2025, impacting instances of HeavySelect2Mixin subclasses, specifically the ModelSelect2MultipleWidget and ModelSelect2Widget components (GitHub Advisory).

The vulnerability involves the leakage of secret access tokens across requests in instances of HeavySelect2Mixin subclasses. The issue received a CVSS v3.1 base score of 8.2 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. The vulnerability is classified under CWE-402 (Transmission of Private Resources into a New Sphere) and CWE-918 (Server-Side Request Forgery) (GitHub Advisory).

The vulnerability allows users to access restricted querysets and restricted data, potentially compromising sensitive information. The high CVSS score reflects significant confidentiality impact and low integrity impact, with no impact on system availability (GitHub Advisory).

The vulnerability has been patched in version 8.4.1 and all subsequent versions. As a workaround, users can pass the widget class instead of creating an instance during app loading. For example, instead of using 'Select2ModelWidget()', users should use 'Select2ModelWidget' in their form Meta widgets configuration (GitHub Advisory).