CVE-2025-48432: 
Django vulnerability analysis and mitigation

CVE-2025-48432 is a security vulnerability discovered in Django versions 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. The vulnerability was discovered by Seokchan Yoon and publicly disclosed on June 4, 2025. The issue affects Django's internal HTTP response logging functionality, which failed to properly escape request.path values (Django Security, NVD).

The vulnerability stems from Django's internal HTTP response logging functionality which directly uses request.path without proper escaping. This allows control characters, including newlines and ANSI escape sequences, to be written unescaped into logs. The issue has been assigned a CVSS v3.1 score of 4.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N and is classified as CWE-117: Improper Output Neutralization for Logs (NVD, Wiz).

The vulnerability could enable log injection or forgery, allowing attackers to manipulate log appearance or structure. This is particularly concerning when logs are processed by external systems or viewed in terminals. While this does not directly impact Django's security model, it poses risks when logs are consumed or interpreted by other tools (Django Security).

The issue has been fixed in Django versions 5.2.3, 5.1.11, and 4.2.23. The fix involves modifying the internal django.utils.log.log_response() function to escape all positional formatting arguments using a safe encoding. An additional hardening patch was released on June 10, 2025, to migrate remaining response logging paths to a safer logging implementation. Users are encouraged to upgrade to the patched versions as soon as possible (Django Bugfix, Django Security).

The Django security team has classified this vulnerability as 'low' severity according to their security policy. Ubuntu has rated this as a low-priority security issue, noting that it only allows injecting ANSI characters into log files. Additionally, there have been reports of issues with automated update systems, as GitHub Dependabot has been failing to send updates for Django 5.2.3 even when triggered manually (Ubuntu CVE, OSS Security).