VDB
CVE-2025-48432
CVE-2025-48432
PUBLISHED
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
EPSS 0.41% · 61.8th percentile
Risk Scores
EPSS Score
0.41%
61.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | django | 5.1.0, 5.2.0, 4.2.0 |
| Bitnami | django | 5.1.0, 5.2.0, 4.2.0 |
Timeline
- Jun 4, 2025 CVE Published
- Jun 5, 2025 EPSS Score
- Jun 16, 2025 EPSS Score
- Jun 19, 2025 Coalition ESS Score
- Jun 26, 2025 EPSS Score
- Jul 7, 2025 EPSS Score
- Jul 18, 2025 EPSS Score
- Jul 28, 2025 EPSS Score
- Aug 8, 2025 EPSS Score
- Aug 19, 2025 EPSS Score
- Aug 22, 2025 Coalition ESS Score
- Aug 26, 2025 Coalition ESS Score
References
- http://www.openwall.com/lists/oss-security/2025/06/04/5 url
- http://www.openwall.com/lists/oss-security/2025/06/10/2 url
- http://www.openwall.com/lists/oss-security/2025/06/10/3 url
- http://www.openwall.com/lists/oss-security/2025/06/10/4 url
- https://docs.djangoproject.com/en/dev/releases/security/ url
- https://groups.google.com/g/django-announce url
- https://nvd.nist.gov/vuln/detail/CVE-2025-48432 url
- https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ url
- https://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/ url