PYSEC-2025-47 — Vulnetix

PYSEC-2025-47 PUBLISHED

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

Affected Products

Vendor	Product	Versions
PyPI	django	5.2, 4.2, 4.2.11

Timeline

Jun 5, 2025 CVE Published
Sep 25, 2025 CVE Updated

References

https://www.djangoproject.com/weblog/2025/jun/04/security-releases/ article
https://docs.djangoproject.com/en/dev/releases/security/ url
https://groups.google.com/g/django-announce url
http://www.openwall.com/lists/oss-security/2025/06/04/5 url

Open in Interactive Console →