PYSEC-2025-47

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2025-47.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-47

Aliases

Published

2025-06-05T03:15:25Z

Modified

2025-06-06T16:27:39.810419Z

Summary

[none]

Details

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.2

Fixed

5.2.2

Introduced

5.1

Fixed

5.1.10

Introduced

4.2

Fixed

4.2.22

Affected versions

4.*

4.2

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.15

4.2.16

4.2.17

4.2.18

4.2.19

4.2.20

4.2.21

5.*

5.1

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.2

5.2.1