CVE-2025-48432: 
Django vulnerability analysis and mitigation

An issue was discovered in Django versions 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. The vulnerability was discovered by Seokchan Yoon and publicly disclosed on June 4, 2025 (Django Announce, NVD).

The vulnerability stems from Django's internal HTTP response logging functionality which directly uses request.path without proper escaping. This allows control characters, including newlines and ANSI escape sequences, to be written unescaped into logs. The issue has been assigned a CVSS v3.1 score of 4.0 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N. The vulnerability is classified as CWE-117: Improper Output Neutralization for Logs (NVD, OSS Security).

The vulnerability could enable log injection or forgery, allowing attackers to manipulate log appearance or structure. This is particularly concerning when logs are processed by external systems or viewed in terminals. While this does not directly impact Django's security model, it poses risks when logs are consumed or interpreted by other tools (OSS Security).

The issue has been fixed in Django versions 5.2.2, 5.1.10, and 4.2.22. The fix involves modifying the internal django.utils.log.log_response() function to escape all positional formatting arguments using a safe encoding. Users are encouraged to upgrade to the patched versions as soon as possible (Django Announce, Ubuntu Security).

The Django security team has classified this vulnerability as 'moderate' severity according to their security policy. Ubuntu has rated this as a low-priority security issue, noting that it only allows injecting ANSI characters into log files (Ubuntu CVE).